Severity by source
CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:P/VC:N/VI:L/VA:N/SC:L/SI:L/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
Primary rating from NVD · only source for this CVE.
CVSS VectorNVD
CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:P/VC:N/VI:L/VA:N/SC:L/SI:L/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
Lifecycle Timeline
1DescriptionCVE.org
ProjectsAndPrograms school-management-system is vulnerable to Stored Cross‑Site Scripting (XSS) in multiple attributes of students and teachers objects. An authorized attacker (e.g., a teacher or administrator) can inject malicious JavaScript that is subsequently executed in other users’ browsers. Critically, when chained with CVE‑2025‑11661, which allows unauthenticated access to backend endpoints, this vulnerability can be exploited by a remote attacker without privileges to inject and execute arbitrary JavaScript.
The maintainers were notified early about this vulnerability but did not provide details regarding affected versions. The version corresponding to commit 6b6fae5 was tested and confirmed vulnerable; other versions were not tested and may also be affected.
AnalysisAI
Stored XSS in ProjectsAndPrograms school-management-system allows an authorized attacker to inject malicious JavaScript into multiple student and teacher object attributes, which then executes in the browsers of other authenticated users. Critically, when chained with CVE-2025-11661 - which grants unauthenticated access to backend endpoints - the attack escalates to fully remote, unauthenticated exploitation, removing the otherwise required low-privilege foothold. No patch has been released and no public exploit code has been identified at time of analysis, though the application is confirmed vulnerable at commit 6b6fae5 per CERT.PL.
Technical ContextAI
The vulnerability is classified under CWE-79 (Improper Neutralization of Input During Web Page Generation), the root cause being unsanitized user-supplied input stored in the database and later rendered directly into HTML pages viewed by other users. The affected surface is specifically the attribute fields of student and teacher objects within the school management application - likely name, bio, or similar profile fields that are persisted server-side and reflected to administrators, teachers, or other privileged roles viewing user records. No CPE strings were provided in the source data, and no exact framework or language stack is identified in available references. The vulnerability was reported by CERT.PL (cvd@cert.pl) and documented at cert.pl and oranbyte.com. The chaining vector via CVE-2025-11661 suggests the backend API lacks proper authentication middleware on relevant endpoints, compounding the stored XSS risk substantially.
RemediationAI
No vendor-released patch has been identified at time of analysis - the maintainers were notified but did not provide patch details or an affected version range. Because no fix is available, defenders should apply compensating controls immediately. First and foremost, mitigate or eliminate CVE-2025-11661 by enforcing authentication on all backend API endpoints, as doing so restores the PR:L barrier and limits exploitation to authenticated users only - this is the highest-leverage control available. Additionally, deploy a web application firewall (WAF) with XSS filtering rules targeting student and teacher profile submission endpoints, noting that WAF rules may produce false positives on legitimate data with special characters. Restrict access to student and teacher record creation and editing to the minimum necessary roles, reducing the attacker surface. Input validation and output encoding should be implemented at the application layer if the maintainers release an update or if the deployment is self-hosted. Monitor for unexpected script tags or JavaScript URIs in database fields containing student and teacher attributes. Advisory details are available at https://cert.pl/en/posts/2026/06/CVE-2026-47324/.
Same weakness CWE-79 – Cross-site Scripting (XSS)
View allShare
External POC / Exploit Code
Leaving vuln.today
EUVD-2026-34093
GHSA-8m4w-m8gr-x23c