Skip to main content

School App

1 CVEs product

Monthly

CVE-2026-7491 HIGH PATCH This Week

Insecure Direct Object Reference in Zyosoft School App allows authenticated remote attackers to escalate privileges horizontally by manipulating object identifiers in API requests, enabling unauthorized read and write access to other users' personal data including student records, grades, and account information. The vulnerability requires only low-level authentication (PR:L) with no user interaction and poses high confidentiality and integrity risk to multi-tenant educational data. EPSS and KEV data not available; exploitation complexity is low (AC:L) making this accessible to moderately skilled attackers once credentials are obtained.

Authentication Bypass School App
NVD VulDB
CVSS 4.0
8.6
EPSS
0.0%
EPSS 0% CVSS 8.6
HIGH PATCH This Week

Insecure Direct Object Reference in Zyosoft School App allows authenticated remote attackers to escalate privileges horizontally by manipulating object identifiers in API requests, enabling unauthorized read and write access to other users' personal data including student records, grades, and account information. The vulnerability requires only low-level authentication (PR:L) with no user interaction and poses high confidentiality and integrity risk to multi-tenant educational data. EPSS and KEV data not available; exploitation complexity is low (AC:L) making this accessible to moderately skilled attackers once credentials are obtained.

Authentication Bypass School App
NVD VulDB

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy