Description

PolarLearn is a free and open-source learning program. Prior to version 0-PRERELEASE-15, the vote API route (`POST /api/v1/forum/vote`) trusts the JSON body’s `direction` value without runtime validation. TypeScript types are not enforced at runtime, so an attacker can send arbitrary strings (e.g., `"x"`) as `direction`. Downstream (`VoteServer`) treats any non-`"up"` and non-`null` value as a downvote and persists the invalid value in `votes_data`. This can be exploited to bypass intended business logic. Version 0-PRERELEASE-15 fixes the vulnerability.

INFO

Published Date :

2026-01-29T22:06:37.224Z

Last Modified :

2026-02-02T16:34:07.949Z

Source :

GitHub_M
AFFECTED PRODUCTS

The following products are affected by CVE-2026-25126 vulnerability.

Vendors Products
Polarlearn
  • Polarlearn
Polarnl
  • Polarlearn
REFERENCES

Here, you will find a curated list of external links that provide in-depth information to CVE-2026-25126.

URL Resource
https://github.com/polarnl/PolarLearn/commit/e6227d94d0e53e854f6a46480db8cd1051184d41 cve-icon cve-icon
https://github.com/polarnl/PolarLearn/security/advisories/GHSA-ghpx-5w2p-p3qp cve-icon cve-icon
Login to claim this CVE

CVSS Vulnerability Scoring System

Detailed values of each vector for above chart.
Attack Vector
Attack Complexity
Privileges Required
User Interaction
Scope
Confidentiality Impact
Integrity Impact
Availability Impact