EUVD-2026-37205

Improper Neutralization of Input During Web Page Generation XSS or 'Cross-site Scripting' vulnerability in PowerSchool Employee Access Center allows Cross-Site Scripting XSS. This issue affects Employee Access Center: 23.10. It is possible to add in javascript code after the login URL and have it...

CVE-2026-12425

Improper Neutralization of Input During Web Page Generation XSS or 'Cross-site Scripting' vulnerability in PowerSchool Employee Access Center allows Cross-Site Scripting XSS. This issue affects Employee Access Center: 23.10. It is possible to add in javascript code after the login URL and have it...

CVE-2026-12425

CVE-2026-12425 is a reflected/DOM-based XSS in PowerSchool Employee Access Center 23.10. The issue allows injection of JavaScript after the login URL that can be eval()’d in the user’s browser context, enabling an attacker to run code with the user’s privileges. The CVSS metrics indicate network ...

EUVD-2019-7800

Malware in sbrugna...

EUVD-2007-1041

Malware in sbrugna...

19-Year-Old Admits to PowerSchool Data Breach Extortion

A 19-year-old college student faces charges after pleading guilty to cyber extortion targeting PowerSchool, exposing data of 60…...

CVE-2019-17396

In the PowerSchool Mobile application 1.1.8 for Android, the username and password are stored in the log during authentication, and may be available to attackers via logcat...

PowerSchool Paid Ransom, Now Hackers Target Teachers for More

PowerSchool paid ransom after a major data breach; now hackers are targeting teachers and schools with direct extortion…...

US Names One of the Hackers Allegedly Behind Massive Salt Typhoon Breaches

Plus: New details emerge about China’s cyber espionage against the US, the FBI remotely uninstalls malware on 4,200 US devices, and victims of the PowerSchool edtech breach reveal what hackers stole...

cin-eo.businessplus.powerschool.com Cross Site Scripting vulnerability OBB-2142697

Following the coordinated and responsible vulnerability disclosure guidelines of the ISO 29147 standard, Open Bug Bounty has: &nbsp&nbsp&nbsp&nbsp&nbsp&nbspa. verified the vulnerability and confirmed its existence; &nbsp&nbsp&nbsp&nbsp&nbsp&nbspb. notified the website operator about its existence...

dmp-eo.businessplus.powerschool.com Cross Site Scripting vulnerability OBB-2142694

Following the coordinated and responsible vulnerability disclosure guidelines of the ISO 29147 standard, Open Bug Bounty has: &nbsp&nbsp&nbsp&nbsp&nbsp&nbspa. verified the vulnerability and confirmed its existence; &nbsp&nbsp&nbsp&nbsp&nbsp&nbspb. notified the website operator about its existence...

CVE-2019-17396

In the PowerSchool Mobile application 1.1.8 for Android, the username and password are stored in the log during authentication, and may be available to attackers via logcat...

CVE-2019-17396

In the PowerSchool Mobile application 1.1.8 for Android, the username and password are stored in the log during authentication, and may be available to attackers via logcat...

Default credentials

In the PowerSchool Mobile application 1.1.8 for Android, the username and password are stored in the log during authentication, and may be available to attackers via logcat...

CVE-2019-17396

The CVE-2019-17396 entry concerns PowerSchool Mobile for Android (version 1.1.8). The underlying issue is that credentials (username and password) are logged during authentication and may be exposed to attackers via logcat. Affected component: authentication/logging path in the Android app. Impac...

CVE-2019-17396

In the PowerSchool Mobile application 1.1.8 for Android, the username and password are stored in the log during authentication, and may be available to attackers via logcat...

Powerschool 4.3.6/5.1.2 Javascript File Request Information Disclosure Vulnerability

No description provided by source. source: http://www.securityfocus.com/bid/22611/info Powerschool is prone to an information-disclosure vulnerability because the application discloses information about administrative session variables. An attacker can exploit these issue to obtain sensitive...

Design/Logic Flaw

Pearson Education PowerSchool 4.3.6 allows remote attackers to list the contents of the admin folder via a URI composed of the admin/ directory name and an arbitrary filename ending in ".js." NOTE: it was later reported that this issue had been addressed by 5.1.2...

CVE-2007-1044

Pearson Education PowerSchool 4.3.6 allows remote attackers to list the contents of the admin folder via a URI composed of the admin/ directory name and an arbitrary filename ending in ".js." NOTE: it was later reported that this issue had been addressed by 5.1.2...

CVE-2007-1044

Pearson Education PowerSchool 4.3.6 allows remote attackers to list the contents of the admin folder via a URI composed of the admin/ directory name and an arbitrary filename ending in ".js." NOTE: it was later reported that this issue had been addressed by 5.1.2...