CVE-2026-12425 PUBLISHED

Reflected / DOM cross-site scripting (XSS) in PowerSchool ERP / Employee Access Center 23.10

Assigner: palo_alto
Reserved: 16.06.2026 Published: 16.06.2026 Updated: 16.06.2026

Improper Neutralization of Input During Web Page Generation (XSS or 'Cross-site Scripting') vulnerability in PowerSchool Employee Access Center allows Cross-Site Scripting (XSS). This issue affects Employee Access Center: 23.10. It is possible to add in javascript code after the login URL and have it be eval()'d in the page and execute in the context of the user.

Metrics

CVSS Vector: CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:P/VC:H/VI:L/VA:L/SC:H/SI:H/SA:H/E:P
CVSS Score: 5.7

Product Status

Vendor PowerSchool
Product Employee Access Center
Versions Default: unaffected
  • Version 23.10 is affected

Credits

  • Menachem (Momo) Rothbart finder

References

Problem Types

  • CWE-79 Improper neutralization of input during web page generation ('cross-site scripting') CWE

Impacts

  • CAPEC-63 Cross-Site Scripting (XSS)