CVE Catalog

CVE-2026-12425

MediumCVSS 6.1
Published: Updated: Translated: NVD NIST

Exploitation Probability (EPSS)

Low risk
0.26%

17th percentile — higher than 17% of all known CVEs

Summary

A cross-site scripting (XSS) vulnerability has been found in PowerSchool Employee Access Center version 23.10. It involves improper neutralization of input during web page generation, allowing injection of JavaScript code after the login URL. The injected code is then executed via eval() in the context of the user's browser.

Risk Assessment

An attacker can exploit this vulnerability to execute arbitrary JavaScript code in the session of a logged-in user, potentially leading to data theft, session hijacking, or other actions on behalf of the victim.

Recommendation

Immediately update PowerSchool Employee Access Center to a version newer than 23.10 where this vulnerability is fixed. Until the update, restrict access to the system and validate/sanitize all input data in the URL.

Original NVD description (English source)

Improper Neutralization of Input During Web Page Generation (XSS or 'Cross-site Scripting') vulnerability in PowerSchool Employee Access Center allows Cross-Site Scripting (XSS). This issue affects Employee Access Center: 23.10. It is possible to add in javascript code after the login URL and have it be eval()'d in the page and execute in the context of the user.

Vulnerability data from NVD (NIST) · CISA KEV · EPSS