CVE-2026-25221 — HIGH (8.1)

Vulnerability Description

PolarLearn is a free and open-source learning program. In 0-PRERELEASE-15 and earlier, the OAuth 2.0 implementation for GitHub and Google login providers is vulnerable to Login Cross-Site Request Forgery (CSRF). The application fails to implement and verify the state parameter during the authentication flow. This allows an attacker to pre-authenticate a session and trick a victim into logging into the attacker's account. Any data the victim then enters or academic progress they make is stored on the attacker's account, leading to data loss for the victim and information disclosure to the attacker.

CVSS Score

8.1

HIGH

CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:N

Attack Vector

NETWORK

Attack Complexity

LOW

Privileges Required

NONE

User Interaction

REQUIRED

Scope

UNCHANGED

Confidentiality

HIGH

Integrity

HIGH

Availability

NONE

Affected Products

Vendor	Product	Versions
Polarlearn	Polarlearn	-

Related Weaknesses (CWE)

CWE-352

References

https://github.com/polarnl/PolarLearn/commit/44669bbb5b647c7625f22dd82f3121c7d7bPatch
https://github.com/polarnl/PolarLearn/security/advisories/GHSA-fhhm-574m-7rpwExploitVendor Advisory

FAQ

What is CVE-2026-25221?

CVE-2026-25221 is a vulnerability with a CVSS score of 8.1 (HIGH). PolarLearn is a free and open-source learning program. In 0-PRERELEASE-15 and earlier, the OAuth 2.0 implementation for GitHub and Google login providers is vulnerable to Login Cross-Site Request Forg...

How severe is CVE-2026-25221?

CVE-2026-25221 has been rated HIGH with a CVSS base score of 8.1/10. Review the CVSS metrics above for detailed severity breakdown.

Is there a patch for CVE-2026-25221?

Check the references section above for vendor advisories and patch information. Affected products include: Polarlearn Polarlearn.