CVE-2026-47325 Overview
CVE-2026-47325 affects the ProjectsAndPrograms school-management-system, a PHP-based educational platform. The application generates student and teacher passwords solely from the user's date of birth in DDMMYYYY format (for example, 12072000 for 12 July 2000). The system does not enforce a password change at first login, leaving accounts protected by a value that is often public knowledge. The weakness is classified under CWE-1391: Use of Weak Credentials.
Critical Impact
Attackers who know or guess a user's date of birth can derive valid login credentials and access student or teacher accounts without further interaction.
Affected Products
- ProjectsAndPrograms school-management-system at commit 6b6fae5 (confirmed vulnerable)
- Other versions of the school-management-system that were not tested and may also be affected
- Deployments derived from the upstream repository where the password generation logic is unchanged
Discovery Timeline
- 2026-06-03 - CVE-2026-47325 published to the National Vulnerability Database
- 2026-06-03 - Last updated in NVD database
Technical Details for CVE-2026-47325
Vulnerability Analysis
The school-management-system creates new user accounts by deriving the initial password directly from the supplied date of birth. The resulting credential follows a fixed DDMMYYYY pattern with only eight numeric characters and a constrained value space.
Date of birth is frequently treated as low-sensitivity data. It appears in social media profiles, school directories, and public records. Because the application reuses this value as a password and does not prompt for rotation on first login, the credential remains predictable for the lifetime of the account.
An attacker who enumerates valid usernames can guess passwords against a small keyspace. There are roughly 36,500 possible values for a century of birth dates, which falls well within the limits of automated brute-force attempts. Successful authentication yields unauthorized access to student or teacher records, grades, and personal information.
Root Cause
The root cause is an insecure design decision in the account provisioning workflow. The application substitutes a randomly generated secret with a deterministic transformation of personally identifiable information. Compounding the issue, the system omits any forced password change, expiration policy, or rate limiting on failed authentication attempts.
Attack Vector
Exploitation is network-based and requires no privileges or user interaction. An attacker reaches the public login endpoint, supplies a known or enumerated username, and submits date-of-birth values formatted as DDMMYYYY. No exploitation code is required beyond a standard HTTP client or credential-stuffing tooling. The vendor has not published a list of affected versions, so defenders must assume any deployment that retains the original password generation logic is at risk.
Detection Methods for CVE-2026-47325
Indicators of Compromise
- Successful logins from unfamiliar IP addresses or geographies to student and teacher accounts
- Bursts of failed login attempts against the school-management-system authentication endpoint with eight-digit numeric password values
- Account activity outside of normal school hours, including grade or profile modifications
- Web server logs showing sequential POST requests to the login handler with incrementing date patterns
Detection Strategies
- Review application access logs for high-volume authentication attempts that match the DDMMYYYY numeric pattern
- Correlate login source IP addresses against known administrative ranges and flag deviations
- Audit user accounts where the stored password hash matches a hash of the recorded date of birth
- Alert on any account that authenticates successfully after a series of failed attempts within a short window
Monitoring Recommendations
- Forward web server and application logs to a centralized logging or SIEM platform for retention and correlation
- Track first-login behavior per account and flag sessions where the password has never been changed
- Monitor for lateral activity from compromised teacher accounts, which typically hold elevated privileges within the platform
How to Mitigate CVE-2026-47325
Immediate Actions Required
- Force a password reset for every existing student and teacher account in the school-management-system
- Disable any self-service flow that issues date-of-birth-based credentials until the underlying code is patched
- Restrict access to the application from the public internet using a VPN or IP allowlist where operationally feasible
- Enable account lockout or rate limiting at the web server or reverse proxy to slow credential guessing
Patch Information
The maintainers were notified but did not provide affected version details or a fixed release at the time of publication. Refer to the CERT Polska Security Advisory and the Oranbyte Project Overview for the latest status. Operators who maintain forks should replace the password generation routine with a cryptographically secure random generator and require a password change on first login.
Workarounds
- Modify the account creation code to generate random initial passwords and deliver them through an out-of-band channel
- Add a forced password change step to the first authenticated session before granting access to any application feature
- Enforce minimum password complexity and length requirements at the application layer
- Place a web application firewall in front of the login endpoint to block repeated submissions of numeric-only passwords
# Configuration example - sample nginx rate limit for the login endpoint
limit_req_zone $binary_remote_addr zone=login_zone:10m rate=5r/m;
location /login.php {
limit_req zone=login_zone burst=5 nodelay;
proxy_pass http://school_management_backend;
}
Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.

