Skip to main content
CVE Vulnerability Database
Vulnerability Database/CVE-2026-47324

CVE-2026-47324: School Management System XSS Vulnerability

CVE-2026-47324 is a stored cross-site scripting flaw in school-management-system that allows attackers to inject malicious JavaScript. This post explains its impact, affected versions, and mitigation steps.

Published:

CVE-2026-47324 Overview

CVE-2026-47324 is a stored Cross-Site Scripting (XSS) vulnerability [CWE-79] in the ProjectsAndPrograms school-management-system application. The flaw exists in multiple attributes of the students and teachers objects. An authenticated attacker with teacher or administrator privileges can inject malicious JavaScript that executes in other users' browsers when those records are rendered.

The vulnerability becomes more severe when chained with CVE-2025-11661, which permits unauthenticated access to backend endpoints. The chained exploit allows a remote, unauthenticated attacker to inject and execute arbitrary JavaScript against any user of the application.

Critical Impact

Authenticated stored XSS that becomes unauthenticated remote JavaScript execution when chained with CVE-2025-11661, enabling session theft and account takeover.

Affected Products

  • ProjectsAndPrograms school-management-system at commit 6b6fae5 (confirmed vulnerable)
  • Other versions were not tested and may also be affected
  • Maintainers did not confirm an exhaustive list of affected versions

Discovery Timeline

  • 2026-06-03 - CVE-2026-47324 published to NVD
  • 2026-06-03 - Last updated in NVD database

Technical Details for CVE-2026-47324

Vulnerability Analysis

The application stores user-supplied data in students and teachers records without sanitizing or encoding HTML and JavaScript content. When other users view pages that render these attributes, the browser interprets the injected payload as executable script. This is a classic persistent XSS pattern mapped to [CWE-79], Improper Neutralization of Input During Web Page Generation.

Stored XSS in an education platform exposes session cookies, authentication tokens, and form data submitted by teachers, administrators, students, and parents. An attacker can hijack administrator sessions to elevate privileges, modify grades, or extract personally identifiable information of minors.

The risk increases through chaining with CVE-2025-11661. That vulnerability allows unauthenticated requests to backend endpoints, which means the privilege requirement for injection disappears. A remote attacker without credentials can write the payload, then wait for any logged-in user to render the affected object.

Root Cause

The root cause is missing output encoding on attributes of the students and teachers objects. The application accepts arbitrary input and writes it back into HTML contexts without applying context-appropriate escaping. There is no Content Security Policy that would mitigate the impact of a successful injection.

Attack Vector

An attacker submits crafted input containing JavaScript through the student or teacher creation or update endpoints. The payload persists in the application data store. Each subsequent page render that includes the affected attribute executes the script in the victim's browser session. Refer to the CERT Polska Security Advisory for further technical context.

No verified proof-of-concept code is published. The vulnerability mechanism is described in the referenced advisory without exploit artifacts.

Detection Methods for CVE-2026-47324

Indicators of Compromise

  • Student or teacher records containing <script>, onerror=, onload=, or javascript: substrings in name, address, or description fields
  • Outbound HTTP requests from browser sessions to attacker-controlled domains shortly after viewing an affected record
  • Unexpected session token or cookie values appearing in web server access logs from external referrers

Detection Strategies

  • Query the application database for HTML tags or JavaScript event handlers stored in students and teachers attribute columns
  • Inspect web server logs for POST or PUT requests to student and teacher endpoints containing URL-encoded script payloads
  • Deploy a web application firewall rule that flags requests with script tags or JavaScript URI schemes targeting these endpoints

Monitoring Recommendations

  • Log all create and update operations on student and teacher objects with full request bodies for forensic review
  • Alert on administrator account activity that originates from new geographic locations or user agents after viewing student or teacher records
  • Monitor for anomalous outbound traffic from browsers in administrative network segments to flag possible cookie exfiltration

How to Mitigate CVE-2026-47324

Immediate Actions Required

  • Audit existing students and teachers records and remove any entries containing HTML tags or JavaScript constructs
  • Restrict network access to the application until output encoding is applied, particularly given the chain with CVE-2025-11661
  • Force a password reset and session invalidation for all administrator and teacher accounts that may have rendered tampered records

Patch Information

The maintainers were notified but did not publish a fix or disclose affected versions at the time of NVD publication. Operators should track the CERT Polska Security Advisory and the Oranbyte Project Page for upstream remediation.

Workarounds

  • Apply server-side output encoding for all user-controlled fields rendered in HTML contexts, using a context-aware encoding library
  • Deploy a strict Content Security Policy that disallows inline scripts and restricts script sources to trusted origins
  • Place the application behind a web application firewall configured to block XSS payloads on student and teacher endpoints
  • Remediate CVE-2025-11661 in parallel to remove the unauthenticated access path that enables exploit chaining
bash
# Example Content-Security-Policy header to limit XSS impact
add_header Content-Security-Policy "default-src 'self'; script-src 'self'; object-src 'none'; base-uri 'self'; frame-ancestors 'none'";

Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.

Default Legacy - Prefooter | Experience the World’s Most Advanced Cybersecurity Platform

Experience the Most Advanced Cybersecurity Platform

See how the world’s most intelligent, autonomous cybersecurity platform can protect your organization today and into the future.