Severity by source
CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:P/VC:H/VI:L/VA:L/SC:H/SI:H/SA:H/E:P/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
Login-page reflected XSS via eval() requires no privileges but mandates user interaction; scope changes as stolen session grants subsequent-system access with high confidentiality impact.
Primary rating from Vendor (palo_alto).
CVSS VectorVendor: palo_alto
CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:P/VC:H/VI:L/VA:L/SC:H/SI:H/SA:H/E:P/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
Lifecycle Timeline
1DescriptionCVE.org
Improper Neutralization of Input During Web Page Generation (XSS or 'Cross-site Scripting') vulnerability in PowerSchool Employee Access Center allows Cross-Site Scripting (XSS). This issue affects Employee Access Center: 23.10. It is possible to add in javascript code after the login URL and have it be eval()'d in the page and execute in the context of the user.
AnalysisAI
Reflected cross-site scripting in PowerSchool Employee Access Center 23.10 allows unauthenticated remote attackers to execute arbitrary JavaScript in the browser context of any user who clicks a crafted login URL, with injected code evaluated directly via eval(). Reported by Palo Alto Networks Unit 42 (PANW-2026-0002), exploit code has been publicly released (CVSS 4.0 E:P), meaningfully lowering the barrier to exploitation. No active exploitation has been confirmed in CISA KEV at time of analysis, but the low-barrier phishing delivery path targeting an education-sector HR authentication page - with high subsequent-system impact - warrants treatment above the Medium CVSS 4.0 score of 5.7 implies.
Technical ContextAI
PowerSchool Employee Access Center (CPE: cpe:2.3:a:powerschool:employee_access_center:*:*:*:*:*:*:*:*) is an HR self-service portal deployed across school districts and educational institutions, typically used by payroll administrators and HR staff. The vulnerability is classified under CWE-79 (Improper Neutralization of Input During Web Page Generation), specifically a reflected XSS sink where attacker-controlled input appended to the login page URL is passed to JavaScript's eval() function without sanitization or output encoding. The eval()-based execution sink is particularly severe: unlike DOM-injection XSS that can be partially mitigated by HTML entity encoding, eval() directly interprets its input as executable code, bypassing most encoding-layer defenses and making Content Security Policy's 'unsafe-eval' directive the critical control. This pattern - dynamically evaluating URL parameters on unauthenticated pages - is a well-understood high-risk antipattern documented in OWASP's Top 10.
RemediationAI
No vendor-released patch version has been identified in the available data at time of analysis; organizations should immediately consult PowerSchool's official security channel and monitor the Unit 42 advisory at https://github.com/PaloAltoNetworks/u42-vulnerability-disclosures/blob/main/2026/PANW-2026-0002/PANW-2026-0002.md for patch release confirmation. Until a fix is available, the most effective compensating control is enforcing a strict Content Security Policy header on the Employee Access Center login endpoint that includes 'script-src' without 'unsafe-eval', which would directly neutralize the eval() sink - note this may break other JavaScript functionality on the page that relies on dynamic evaluation and requires testing before deployment. A Web Application Firewall rule blocking JavaScript constructs (function(), eval(), script tags) in URL query parameters on the login path provides a secondary layer but is bypassable through encoding and should not be treated as a standalone fix. Organizations should also restrict access to the Employee Access Center login endpoint to known IP ranges (e.g., school district network or VPN) where operationally feasible, which removes the network-accessible attack vector entirely - at the cost of preventing remote employee access. Staff training to scrutinize login URLs before clicking, particularly those received via email, is a low-cost detection and prevention measure appropriate for the phishing delivery model.
Same weakness CWE-79 – Cross-site Scripting (XSS)
View allShare
External POC / Exploit Code
Leaving vuln.today
EUVD-2026-37205
GHSA-wp5h-m3hq-5qph