CVE-2026-12425 | Improper Neutralization of Input During Web Page Generation … | CVSS 5.7 MEDIUM

Description

Improper Neutralization of Input During Web Page Generation (XSS or 'Cross-site Scripting') vulnerability in PowerSchool Employee Access Center allows Cross-Site Scripting (XSS). This issue affects Employee Access Center: 23.10. It is possible to add in javascript code after the login URL and have it be eval()'d in the page and execute in the context of the user.

Metadata

CVE ID: CVE-2026-12425
State: PUBLISHED
Assigner: palo_alto
Reserved: 2026-06-16 17:02 UTC
Published: 2026-06-16 18:34 UTC
Last updated: 2026-06-17 15:04 UTC
Primary CWE: CWE-79
CWE-79 Improper neutralization of input during web page gene…
Vendor / Product: PowerSchool / Employee Access Center
Sources: cve.org · NVD

Severity & Metrics

5.7 MEDIUM CVSS 4.0

CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:P/VC:H/VI:L/VA:L/SC:H/SI:H/SA:H/E:P

SSVC — CISA Coordinator

Exploitation: none
Automatable: no
Tech. Impact: partial

Affected products (1)

Vendor	Product	Platform	Versions
PowerSchool	Employee Access Center	—	23.10

Weakness (CWE)

CWE	Source	Description
CWE-79	cna	CWE-79 Improper neutralization of input during web page generation ('cross-site scripting')

CVSS scores (1)

Score	Severity	Version	Source	Vector
5.7	MEDIUM	4.0	cna	CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:P/VC:H/VI:L/VA:L/SC:H/SI:H/SA:H/E:P

References (1)

https://github.com/PaloAltoNetworks/u42-vulnerability-disclosures/blob/main/2026/PANW-2026-0002/PANW-2026-0002.md