Skip to main content

school-management-system EUVDEUVD-2026-34094

| CVE-2026-47325 MEDIUM
Use of Weak Credentials (CWE-1391)
2026-06-03 cvd@cert.pl GHSA-hxqj-5m25-j368
6.9
CVSS 4.0 · NVD
Share

Severity by source

NVD PRIMARY
6.9 MEDIUM
CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:L/VI:L/VA:N/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X

Primary rating from NVD · only source for this CVE.

CVSS VectorNVD

CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:L/VI:L/VA:N/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
Attack Vector
Network
Attack Complexity
Low
Privileges Required
None
User Interaction
None
Scope
X

Lifecycle Timeline

1
Analysis Generated
Jun 03, 2026 - 14:34 vuln.today

DescriptionCVE.org

ProjectsAndPrograms school-management-system uses predictable credentials by generating student's and teacher's passwords solely from the user’s date of birth (e.g., 12072000 for 12 July 2000). The application does not require or prompt users to change the password upon first login. This behavior allows attackers to easily guess or derive valid credentials, leading to unauthorized account access.

The maintainers were notified early about this vulnerability but did not provide details regarding affected versions. The version corresponding to commit 6b6fae5 was tested and confirmed vulnerable; other versions were not tested and may also be affected.

AnalysisAI

Predictable credential generation in ProjectsAndPrograms school-management-system allows unauthenticated remote attackers to derive valid account passwords for any student or teacher whose date of birth is known or guessable. Passwords are constructed deterministically from the user's date of birth alone (e.g., 12072000 for 12 July 2000), and the application never prompts users to change this default credential, leaving accounts permanently exposed. CVSS 4.0 rates this 6.9 with a fully network-accessible, no-authentication attack vector; no public exploit code has been identified at time of analysis, but the trivial exploitation logic requires no tooling.

Technical ContextAI

CWE-1391 (Use of Weak Credentials) describes the root cause: the application's credential provisioning routine derives passwords algorithmically from a non-secret, low-entropy input - the user's date of birth formatted as DDMMYYYY. The effective keyspace for plausible student and teacher birth years (e.g., 1970-2015) is roughly 16,000-18,000 possible values, rendering the password set trivially enumerable even without prior knowledge of a specific target's birthday. The CVSS 4.0 vector (AV:N/AC:L/AT:N/PR:N/UI:N) confirms the application is network-reachable, requires no prior authentication, and imposes no additional attack complexity. The affected codebase is the ProjectsAndPrograms school-management-system tracked at commit 6b6fae5, as confirmed by CERT.PL (cert.pl/en/posts/2026/06/CVE-2026-47324/). No CPE string was provided in the source data.

RemediationAI

No vendor-released patch has been identified at time of analysis - the maintainers were notified early but did not provide fix details or a patched version. As an immediate compensating control, administrators should force a mandatory password reset for all student and teacher accounts by invalidating existing credentials and requiring new passwords to be set on next login; this prevents exploitation of currently derived credentials. Passwords should be regenerated using a cryptographically random source rather than date of birth. If the application cannot be patched promptly, restrict access to the login interface to trusted IP ranges or place it behind a VPN to eliminate the network-accessible attack surface, accepting the trade-off of reduced remote usability for staff and students. Account lockout policies (e.g., 5 failed attempts triggering a lockout) will significantly slow automated enumeration of the ~16,000-value keyspace. Monitor authentication logs for sequential login attempts with date-formatted passwords as an indicator of active exploitation. Reference advisory: https://cert.pl/en/posts/2026/06/CVE-2026-47324/.

Share

EUVD-2026-34094 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy