Home > Vulnerability Database > CVE-2026-25126

Mend.io Vulnerability Database

CVE-2026-25126

Good to know:

Date: January 29, 2026

PolarLearn is a free and open-source learning program. Prior to version 0-PRERELEASE-15, the vote API route ("POST /api/v1/forum/vote") trusts the JSON body’s "direction" value without runtime validation. TypeScript types are not enforced at runtime, so an attacker can send arbitrary strings (e.g., ""x"") as "direction". Downstream ("VoteServer") treats any non-""up"" and non-"null" value as a downvote and persists the invalid value in "votes_data". This can be exploited to bypass intended business logic. Version 0-PRERELEASE-15 fixes the vulnerability.

Severity Score

7.1

Related Resources (4)

Url: https://github.com/polarnl/PolarLearn/commit/e6227d94d0e53e854f6a46480db8cd1051184d41

Url: https://github.com/polarnl/PolarLearn/security/advisories/GHSA-ghpx-5w2p-p3qp

Url: https://nvd.nist.gov/vuln/detail/CVE-2026-25126

Url: https://www.mend.io/vulnerability-database/CVE-2026-25126

Severity Score

7.1

Weakness Type (CWE)

Improper Input Validation

CWE-20

CVSS v3.1

Base Score:	7.1
Attack Vector (AV):	NETWORK
Attack Complexity (AC):	LOW
Privileges Required (PR):	LOW
User Interaction (UI):	NONE
Scope (S):	UNCHANGED
Confidentiality (C):	LOW
Integrity (I):	HIGH
Availability (A):	NONE

Mend.io Vulnerability Database

We found results for “”

CVE-2026-25126

Good to know:

Date: January 29, 2026

Severity Score

Related Resources (4)

Severity Score

Weakness Type (CWE)

CVSS v3.1

Do you need more information?