CVE-2026-12425
MediumCVSS 6.1Exploitation Probability (EPSS)
Low risk17th percentile — higher than 17% of all known CVEs
Summary
A cross-site scripting (XSS) vulnerability has been found in PowerSchool Employee Access Center version 23.10. It involves improper neutralization of input during web page generation, allowing injection of JavaScript code after the login URL. The injected code is then executed via eval() in the context of the user's browser.
Risk Assessment
An attacker can exploit this vulnerability to execute arbitrary JavaScript code in the session of a logged-in user, potentially leading to data theft, session hijacking, or other actions on behalf of the victim.
Recommendation
Immediately update PowerSchool Employee Access Center to a version newer than 23.10 where this vulnerability is fixed. Until the update, restrict access to the system and validate/sanitize all input data in the URL.
Original NVD description (English source)
Improper Neutralization of Input During Web Page Generation (XSS or 'Cross-site Scripting') vulnerability in PowerSchool Employee Access Center allows Cross-Site Scripting (XSS). This issue affects Employee Access Center: 23.10. It is possible to add in javascript code after the login URL and have it be eval()'d in the page and execute in the context of the user.

