Vote API Vulnerability in PolarLearn Affecting Open-Source Learning Software
CVE-2026-25126

7.1HIGH

Key Information:

Vendor: Polarnl
Status: Polarlearn
Vendor: CVE Published:; 29 January 2026

Badges

👾 Exploit Exists🟡 Public PoC

What is CVE-2026-25126?

PolarLearn, an open-source learning program, contains a vulnerability in its vote API that allows attackers to exploit improper validation of the JSON body’s direction parameter. Prior to the release of version 0-PRERELEASE-15, the application does not enforce TypeScript types at runtime, enabling attackers to submit arbitrary strings in place of expected values. The VoteServer interprets these invalid inputs as downvotes, compromising the integrity of voting logic and data persistence. This flaw can be leveraged to bypass intended functionality, leading to potential manipulation of user votes.

Human OS v1.0:
Ageing Is an Unpatched Zero-Day Vulnerability.

Remediate biological technical debt. Prime Ageing uses 95% high-purity SIRT6 activation to maintain genomic integrity and bolster systemic resilience.

Deploy the Patch

Affected Version(s)

PolarLearn < 0-PRERELEASE-15

Exploit Proof of Concept (PoC)

PoC code is written by security researchers to demonstrate the vulnerability can be exploited. PoC code is also a key component for weaponization which could lead to ransomware.

CVE-2026-25126
Created by Jvr2022

References

https://github.com/polarnl/PolarLearn/security/advisories...

x_refsource_CONFIRM

https://github.com/polarnl/PolarLearn/commit/e6227d94d0e5...

x_refsource_MISC

CVSS V3.1

Score:

7.1

Severity:

HIGH

Confidentiality:

Low

Integrity:

High

Availability:

Low

Attack Vector:

Network

Attack Complexity:

Low

Privileges Required:

Low

User Interaction:

None

Scope:

Unchanged

Timeline

🟡
Public PoC available
Jan 31, 2026
👾
Exploit known to exist
Jan 31, 2026
Vulnerability published
Jan 29, 2026
Vulnerability Reserved
Jan 29, 2026

JSON

Polarnl