Skip to main content

Employee Access Center

1 CVEs product

Monthly

CVE-2026-12425 MEDIUM This Month

Reflected cross-site scripting in PowerSchool Employee Access Center 23.10 allows unauthenticated remote attackers to execute arbitrary JavaScript in the browser context of any user who clicks a crafted login URL, with injected code evaluated directly via eval(). Reported by Palo Alto Networks Unit 42 (PANW-2026-0002), exploit code has been publicly released (CVSS 4.0 E:P), meaningfully lowering the barrier to exploitation. No active exploitation has been confirmed in CISA KEV at time of analysis, but the low-barrier phishing delivery path targeting an education-sector HR authentication page - with high subsequent-system impact - warrants treatment above the Medium CVSS 4.0 score of 5.7 implies.

XSS Employee Access Center
NVD GitHub VulDB
CVSS 4.0
5.7
EPSS
0.3%
EPSS 0% CVSS 5.7
MEDIUM This Month

Reflected cross-site scripting in PowerSchool Employee Access Center 23.10 allows unauthenticated remote attackers to execute arbitrary JavaScript in the browser context of any user who clicks a crafted login URL, with injected code evaluated directly via eval(). Reported by Palo Alto Networks Unit 42 (PANW-2026-0002), exploit code has been publicly released (CVSS 4.0 E:P), meaningfully lowering the barrier to exploitation. No active exploitation has been confirmed in CISA KEV at time of analysis, but the low-barrier phishing delivery path targeting an education-sector HR authentication page - with high subsequent-system impact - warrants treatment above the Medium CVSS 4.0 score of 5.7 implies.

XSS Employee Access Center
NVD GitHub VulDB

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy