CVE-2026-47324
Received Received - Intake
Stored XSS in ProjectsAndPrograms School-Management-System

Publication date: 2026-06-03

Last updated on: 2026-06-03

Assigner: CERT.PL

Description
ProjectsAndPrograms school-management-system is vulnerable to Stored Cross‑Site Scripting (XSS) in multiple attributes of students and teachers objects. An authorized attacker (e.g., a teacher or administrator) can inject malicious JavaScript that is subsequently executed in other users’ browsers. Critically, when chained with CVE‑2025‑11661, which allows unauthenticated access to backend endpoints, this vulnerability can be exploited by a remote attacker without privileges to inject and execute arbitrary JavaScript. The maintainers were notified early about this vulnerability but did not provide details regarding affected versions. The version corresponding to commit 6b6fae5 was tested and confirmed vulnerable; other versions were not tested and may also be affected.
CVSS Scores
EPSS Scores
Probability:
Percentile:
Meta Information
Published
2026-06-03
Last Modified
2026-06-03
Generated
2026-06-03
AI Q&A
2026-06-03
EPSS Evaluated
N/A
NVD
CVE-2026-47324
EUVD
EUVD-2026-34093
Affected Vendors & Products
Showing 1 associated CPE
Vendor Product Version / Range
projectsandprograms school-management-system From 6b6fae5 (inc)
Helpful Resources
Exploitability
CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-79 The product does not neutralize or incorrectly neutralizes user-controllable input before it is placed in output that is used as a web page that is served to other users.
Attack-Flow Graph
AI Powered Q&A
Can you explain this vulnerability to me?

The ProjectsAndPrograms school-management-system is vulnerable to Stored Cross-Site Scripting (XSS) in multiple attributes of students and teachers objects.

An authorized attacker, such as a teacher or administrator, can inject malicious JavaScript code that will be stored and later executed in other users' browsers.

Additionally, if this vulnerability is combined with CVE-2025-11661, which allows unauthenticated access to backend endpoints, a remote attacker without any privileges can exploit this to inject and execute arbitrary JavaScript.


How can this vulnerability impact me? :

This vulnerability can allow attackers to execute malicious JavaScript in the browsers of other users, potentially leading to session hijacking, data theft, or unauthorized actions performed on behalf of the victim.

If combined with another vulnerability (CVE-2025-11661), even remote attackers without any privileges can exploit this, increasing the risk and impact.


What immediate steps should I take to mitigate this vulnerability?

To mitigate the Stored Cross-Site Scripting (XSS) vulnerability in the ProjectsAndPrograms school-management-system, immediate steps include restricting or reviewing the privileges of authorized users such as teachers and administrators who can inject malicious JavaScript.

Additionally, since this vulnerability can be chained with CVE-2025-11661 to allow remote exploitation without privileges, it is important to secure backend endpoints to prevent unauthenticated access.

Monitoring and sanitizing inputs in multiple attributes of students and teachers objects to prevent injection of malicious scripts is recommended.

Finally, coordinate with the software maintainers for patches or updates, and consider restricting user input or applying web application firewalls to block malicious payloads.


Ask Our AI Assistant
Need more information? Ask your question to get an AI reply (Powered by our expertise)
0/70
EPSS Chart