Description
ProjectsAndPrograms school-management-system uses predictable credentials by generating student's and teacher's passwords solely from the user’s date of birth (e.g., 12072000 for 12 July 2000). The application does not require or prompt users to change the password upon first login. This behavior allows attackers to easily guess or derive valid credentials, leading to unauthorized account access.

The maintainers were notified early about this vulnerability but did not provide details regarding affected versions. The version corresponding to commit 6b6fae5 was tested and confirmed vulnerable; other versions were not tested and may also be affected.
Published: 2026-06-03
Score: 6.9 Medium
EPSS: n/a
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

Predictable passwords are generated from a user’s date of birth, such as 12072000 for 12 July 2000, and the system takes no action to prompt or require a change on first login. The weakness, classified as CWE‑1391, allows an attacker to guess or calculate valid credentials with minimal effort, resulting in unauthorized account access.

Affected Systems

The vulnerable product is ProjectsAndPrograms:school‑management‑system. The commit 6b6fae5 has been confirmed vulnerable; other releases have not been verified but may also be affected.

Risk and Exploitability

The CVSS score of 6.9 indicates a medium severity vulnerability. No EPSS data is available and it is not listed in the CISA KEV catalog. Attackers could exploit the flaw by guessing or deriving the password for any account if they know the user’s date of birth; once authenticated, an attacker gains full access to that account’s privileges.

Generated by OpenCVE AI on June 3, 2026 at 15:21 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Update the application to a version that disables password generation from date of birth and introduces a strong, random password algorithm.
  • Configure the system to force a password change on first login and enforce a password complexity policy that includes length, alphanumerics, and special characters.
  • Audit existing user accounts for DOB‑derived passwords and reset them to secure credentials, optionally locking accounts until a new password is chosen.

Generated by OpenCVE AI on June 3, 2026 at 15:21 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Wed, 03 Jun 2026 16:45:00 +0000

Type Values Removed Values Added
First Time appeared Projectsandprograms
Projectsandprograms school Management System
Vendors & Products Projectsandprograms
Projectsandprograms school Management System

Wed, 03 Jun 2026 16:30:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'partial'}, 'version': '2.0.3'}

Wed, 03 Jun 2026 14:15:00 +0000

Type Values Removed Values Added
Description ProjectsAndPrograms school-management-system uses predictable credentials by generating student's and teacher's passwords solely from the user’s date of birth (e.g., 12072000 for 12 July 2000). The application does not require or prompt users to change the password upon first login. This behavior allows attackers to easily guess or derive valid credentials, leading to unauthorized account access. The maintainers were notified early about this vulnerability but did not provide details regarding affected versions. The version corresponding to commit 6b6fae5 was tested and confirmed vulnerable; other versions were not tested and may also be affected.
Title Weak password policy in ProjectsAndPrograms school-management-system
Weaknesses CWE-1391
References
Metrics cvssV4_0

{'score': 6.9, 'vector': 'CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:L/VI:L/VA:N/SC:N/SI:N/SA:N'}

Subscriptions

Projectsandprograms School Management System
cve-icon MITRE

Status: PUBLISHED

Assigner: CERT-PL

Published:

Updated: 2026-06-03T13:28:25.341Z

Reserved: 2026-05-19T09:41:57.544Z

Link: CVE-2026-47325

cve-icon Vulnrichment

Updated: 2026-06-03T15:50:54.261Z

cve-icon NVD

Status : Received

Published: 2026-06-03T14:16:44.823

Modified: 2026-06-03T14:16:44.823

Link: CVE-2026-47325

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-06-03T16:30:35Z

Weaknesses