Description
Improper Neutralization of Input During Web Page Generation (XSS or 'Cross-site Scripting') vulnerability in PowerSchool Employee Access Center allows Cross-Site Scripting (XSS). This issue affects Employee Access Center: 23.10. It is possible to add in javascript code after the login URL and have it be eval()'d in the page and execute in the context of the user.
Published: 2026-06-16
Score: 5.7 Medium
EPSS: < 1% Very Low
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

Improper neutralization of user input in PowerSchool Employee Access Center allows a reflected or DOM-based cross‑site scripting vulnerability. By appending arbitrary JavaScript to the login URL, the application evaluates the injected code on the page, allowing execution in the context of the authenticated user. This type of flaw falls under CWE‑79 and can lead to session hijacking, defacement, or malicious actions performed as the legitimate user.

Affected Systems

The vulnerability affects PowerSchool Employee Access Center version 23.10. No other versions are listed as impacted.

Risk and Exploitability

The CVSS score of 5.7 indicates moderate risk, while the EPSS score of less than 1% suggests a very low likelihood of widespread exploitation. Since the flaw is not listed in the CISA KEV catalog, there are no known active exploits at the time of this analysis. Exploitation requires an attacker to craft a malicious URL that includes JavaScript code after the login page, which is then executed by the victim’s browser. The attack is constrained to users who can access the compromised login link, making the threat surface moderate but less likely to be leveraged broadly.

Generated by OpenCVE AI on June 17, 2026 at 21:17 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Update PowerSchool Employee Access Center to the latest released version that patches the XSS flaw.
  • Sanitize and validate the login URL query parameters to strip or encode any JavaScript or eval() invocations before rendering the page.
  • Apply a Content Security Policy that blocks inline scripts and restricts script sources to trusted origins.
  • Monitor network traffic and logs for unusual URL patterns that include script fragments and block or alert on them.

Generated by OpenCVE AI on June 17, 2026 at 21:17 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Tue, 23 Jun 2026 21:30:00 +0000

Type Values Removed Values Added
First Time appeared Powerschool
Powerschool employee Access Center
Vendors & Products Powerschool
Powerschool employee Access Center

Thu, 18 Jun 2026 04:45:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'partial'}, 'version': '2.0.3'}


Tue, 16 Jun 2026 19:30:00 +0000

Type Values Removed Values Added
Description Improper Neutralization of Input During Web Page Generation (XSS or 'Cross-site Scripting') vulnerability in PowerSchool Employee Access Center allows Cross-Site Scripting (XSS). This issue affects Employee Access Center: 23.10. It is possible to add in javascript code after the login URL and have it be eval()'d in the page and execute in the context of the user.
Title Reflected / DOM cross-site scripting (XSS) in PowerSchool ERP / Employee Access Center 23.10
Weaknesses CWE-79
References
Metrics cvssV4_0

{'score': 5.7, 'vector': 'CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:P/VC:H/VI:L/VA:L/SC:H/SI:H/SA:H/E:P'}


Subscriptions

Powerschool Employee Access Center
cve-icon MITRE

Status: PUBLISHED

Assigner: palo_alto

Published:

Updated: 2026-06-17T15:04:57.848Z

Reserved: 2026-06-16T17:02:05.062Z

Link: CVE-2026-12425

cve-icon Vulnrichment

Updated: 2026-06-17T15:04:54.461Z

cve-icon NVD

Status : Awaiting Analysis

Published: 2026-06-16T20:16:28.443

Modified: 2026-06-16T20:42:25.013

Link: CVE-2026-12425

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-06-23T21:05:01Z

Weaknesses
  • CWE-79

    Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')