Description
ProjectsAndPrograms school-management-system is vulnerable to Stored Cross‑Site Scripting (XSS) in multiple attributes of students and teachers objects. An authorized attacker (e.g., a teacher or administrator) can inject malicious JavaScript that is subsequently executed in other users’ browsers.
Critically, when chained with CVE‑2025‑11661, which allows unauthenticated access to backend endpoints, this vulnerability can be exploited by a remote attacker without privileges to inject and execute arbitrary JavaScript.

The maintainers were notified early about this vulnerability but did not provide details regarding affected versions. The version corresponding to commit 6b6fae5 was tested and confirmed vulnerable; other versions were not tested and may also be affected.
Published: 2026-06-03
Score: 5.1 Medium
EPSS: n/a
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

ProjectsAndPrograms school‑management‑system suffers from a stored cross‑site scripting flaw in several attributes of student and teacher objects. A user with sufficient authority, such as a teacher or administrator, can place malicious JavaScript in these fields, and the code is subsequently executed in the browsers of any other user who views the affected pages. When combined with the unrelated CVE‑2025‑11661 vulnerability, which permits unauthenticated access to backend endpoints, the stored XSS can be triggered by a remote attacker without requiring any prior privileges.

Affected Systems

The vulnerability impacts the ProjectsAndPrograms school‑management‑system. No official release number is documented; the commit 6b6fae5 was tested and confirmed vulnerable, while other releases were not examined and may or may not be affected.

Risk and Exploitability

The CVSS score of 5.1 indicates moderate severity. Because no EPSS data is available and the vulnerability is not listed in CISA KEV, the likelihood of widespread exploitation is uncertain but could increase if the system is publicly accessible. An attacker with teacher or admin rights can directly inject malicious payloads; a remote attacker can achieve the same effect via the authentication bypass CVE‑2025‑11661. The impact is limited to clients’ browsers but can facilitate further compromise of the environment if additional privileges are gained.

Generated by OpenCVE AI on June 3, 2026 at 15:50 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Deploy the vendor‑issued security patch once it is released; contact the maintainers for the correct version
  • Ensure that all user‑supplied data displayed in student and teacher objects is properly escaped or sanitized to prevent execution of malicious scripts
  • Implement a Content Security Policy that disallows inline scripts and limits script sources to trusted domains

Generated by OpenCVE AI on June 3, 2026 at 15:50 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Wed, 03 Jun 2026 16:30:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'partial'}, 'version': '2.0.3'}

Wed, 03 Jun 2026 15:45:00 +0000

Type Values Removed Values Added
First Time appeared Projectsandprograms
Projectsandprograms school Management System
Vendors & Products Projectsandprograms
Projectsandprograms school Management System

Wed, 03 Jun 2026 14:15:00 +0000

Type Values Removed Values Added
Description ProjectsAndPrograms school-management-system is vulnerable to Stored Cross‑Site Scripting (XSS) in multiple attributes of students and teachers objects. An authorized attacker (e.g., a teacher or administrator) can inject malicious JavaScript that is subsequently executed in other users’ browsers. Critically, when chained with CVE‑2025‑11661, which allows unauthenticated access to backend endpoints, this vulnerability can be exploited by a remote attacker without privileges to inject and execute arbitrary JavaScript. The maintainers were notified early about this vulnerability but did not provide details regarding affected versions. The version corresponding to commit 6b6fae5 was tested and confirmed vulnerable; other versions were not tested and may also be affected.
Title Stored XSS in Multiple Points in ProjectsAndPrograms school-management-system
Weaknesses CWE-79
References
Metrics cvssV4_0

{'score': 5.1, 'vector': 'CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:P/VC:N/VI:L/VA:N/SC:L/SI:L/SA:N'}

Subscriptions

Projectsandprograms School Management System
cve-icon MITRE

Status: PUBLISHED

Assigner: CERT-PL

Published:

Updated: 2026-06-03T13:28:15.935Z

Reserved: 2026-05-19T09:41:57.543Z

Link: CVE-2026-47324

cve-icon Vulnrichment

Updated: 2026-06-03T15:50:34.817Z

cve-icon NVD

Status : Received

Published: 2026-06-03T14:16:44.677

Modified: 2026-06-03T14:16:44.677

Link: CVE-2026-47324

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-06-03T16:00:16Z

Weaknesses