CVE-2026-47324
Description
Stored XSS in ProjectsAndPrograms school-management-system allows authorized users to inject JS, or unauthenticated remote attackers when chained with another CVE.
AI Insight
LLM-synthesized narrative grounded in this CVE's description and references.
Stored XSS in ProjectsAndPrograms school-management-system allows authorized users to inject JS, or unauthenticated remote attackers when chained with another CVE.
Vulnerability
ProjectsAndPrograms school-management-system is vulnerable to Stored Cross-Site Scripting (XSS) within multiple attributes of student and teacher objects. The version corresponding to commit 6b6fae5 was confirmed vulnerable; other versions may also be affected. [1]
Exploitation
An authorized attacker, such as a teacher or administrator, can inject malicious JavaScript. Critically, when combined with CVE-2025-11661, which enables unauthenticated access to backend endpoints, a remote attacker without privileges can inject and execute arbitrary JavaScript. [1]
Impact
Successful exploitation allows an attacker to execute arbitrary JavaScript in other users' browsers. This can lead to various malicious actions depending on the context of the executed script, potentially compromising user sessions or data. [1]
Mitigation
Details regarding affected versions beyond commit 6b6fae5 and available patches are not yet disclosed in the available references. [1]
AI Insight generated on Jun 3, 2026. Synthesized from this CVE's description and the cited reference URLs; citations are validated against the source bundle.
Affected products
2- Range: commit 6b6fae5
- Range: commit 6b6fae5
Patches
0No patches discovered yet.
Vulnerability mechanics
No source-code context for this CVE — mechanics is only generated when we can read the actual fix diff. Without that, the four sections (root cause, attack vector, affected code, fix) would be speculation rather than analysis.
References
2News mentions
0No linked articles in our index yet.