CVE-2026-47324
Deferred Deferred - Pending Action
Stored XSS in ProjectsAndPrograms School-Management-System

Publication date: 2026-06-03

Last updated on: 2026-06-03

Assigner: CERT.PL

Description
ProjectsAndPrograms school-management-system is vulnerable to Stored Cross‑Site Scripting (XSS) in multiple attributes of students and teachers objects. An authorized attacker (e.g., a teacher or administrator) can inject malicious JavaScript that is subsequently executed in other users’ browsers. Critically, when chained with CVE‑2025‑11661, which allows unauthenticated access to backend endpoints, this vulnerability can be exploited by a remote attacker without privileges to inject and execute arbitrary JavaScript. The maintainers were notified early about this vulnerability but did not provide details regarding affected versions. The version corresponding to commit 6b6fae5 was tested and confirmed vulnerable; other versions were not tested and may also be affected.
CVSS Scores
EPSS Scores
Probability:
Percentile:
Meta Information
Published
2026-06-03
Last Modified
2026-06-03
Generated
2026-06-23
AI Q&A
2026-06-03
EPSS Evaluated
2026-06-22
NVD
CVE-2026-47324
EUVD
EUVD-2026-34093
Affected Vendors & Products
Showing 1 associated CPE
Vendor Product Version / Range
projectsandprograms school-management-system From 6b6fae5 (inc)
Helpful Resources
Exploitability
CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-79 The product does not neutralize or incorrectly neutralizes user-controllable input before it is placed in output that is used as a web page that is served to other users.
Attack-Flow Graph
AI Quick Actions
Instant insights powered by AI
Executive Summary

The ProjectsAndPrograms school-management-system is vulnerable to Stored Cross-Site Scripting (XSS) in multiple attributes of students and teachers objects.

An authorized attacker, such as a teacher or administrator, can inject malicious JavaScript code that will be stored and later executed in other users' browsers.

Additionally, if this vulnerability is combined with CVE-2025-11661, which allows unauthenticated access to backend endpoints, a remote attacker without any privileges can exploit this to inject and execute arbitrary JavaScript.

Impact Analysis

This vulnerability can allow attackers to execute malicious JavaScript in the browsers of other users, potentially leading to session hijacking, data theft, or unauthorized actions performed on behalf of the victim.

If combined with another vulnerability (CVE-2025-11661), even remote attackers without any privileges can exploit this, increasing the risk and impact.

Mitigation Strategies

To mitigate the Stored Cross-Site Scripting (XSS) vulnerability in the ProjectsAndPrograms school-management-system, immediate steps include restricting or reviewing the privileges of authorized users such as teachers and administrators who can inject malicious JavaScript.

Additionally, since this vulnerability can be chained with CVE-2025-11661 to allow remote exploitation without privileges, it is important to secure backend endpoints to prevent unauthenticated access.

Monitoring and sanitizing inputs in multiple attributes of students and teachers objects to prevent injection of malicious scripts is recommended.

Finally, coordinate with the software maintainers for patches or updates, and consider restricting user input or applying web application firewalls to block malicious payloads.

Compliance Impact

The vulnerability allows an authorized attacker to inject malicious JavaScript that executes in other users' browsers, potentially leading to unauthorized access or data exposure. When combined with another vulnerability (CVE-2025-11661), it can be exploited remotely without privileges. Such security weaknesses can lead to breaches of personal data confidentiality and integrity, which may violate common standards and regulations like GDPR and HIPAA that require protection of personal and sensitive information.

Specifically, the risk of unauthorized script execution and potential data leakage could result in non-compliance with data protection requirements, including ensuring appropriate technical safeguards against unauthorized access and maintaining data security.

Chat Assistant
Ask questions about this CVE
Hi! I’m here to help you understand CVE-2026-47324. Ask me anything about the vulnerability, its impact, or mitigation strategies.
0/70
EPSS Chart