PatchSiren cyber security CVE debrief
CVE-2026-12425 PowerSchool CVE debrief
A Cross-Site Scripting (XSS) vulnerability, known as Improper Neutralization of Input During Web Page Generation, has been discovered in PowerSchool Employee Access Center version 23.10. This vulnerability allows an attacker to add JavaScript code after the login URL, which is then evaluated and executed in the context of the user.
- Vendor
- PowerSchool
- Product
- Employee Access Center
- CVSS
- MEDIUM 5.7
- CISA KEV
- Not listed in stored evidence
- Original CVE published
- 2026-06-16
- Original CVE updated
- 2026-06-17
- Advisory published
- 2026-06-16
- Advisory updated
- 2026-06-17
Who should care
Users of PowerSchool Employee Access Center version 23.10 should be aware of this vulnerability and take necessary precautions to protect themselves.
Technical summary
The vulnerability has a CVSS score of 5.7 and a severity rating of MEDIUM. The CVSS vector is CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:P/VC:H/VI:L/VA:L/SC:H/SI:H/SA:H/E:P/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X.
Defensive priority
MEDIUM
Recommended defensive actions
- Apply the necessary patches or updates to PowerSchool Employee Access Center version 23.10 to fix the vulnerability.
- Use secure coding practices to prevent similar vulnerabilities in the future.
- Monitor the system for any suspicious activity.
Evidence notes
The vulnerability was reported by an unknown vendor and has been documented in the CVE record and NVD detail pages.
Official resources
-
CVE-2026-12425 CVE record
CVE.org
-
CVE-2026-12425 NVD detail
NVD
-
Source item URL
nvd_modified
- Source reference
CVE-2026-12425 was published on 2026-06-16T20:16:28.443Z and modified on 2026-06-16T20:42:25.013Z.