CVE-2025-48373CRITICAL 9.1EPSS p25.1%

CVE-2025-48373CVE-2025-48373

Description

Schule is open-source school management system software. The application relies on client-side JavaScript (index.js) to redirect users to different panels based on their role. Prior to version 1.0.1, this implementation poses a serious security risk because it assumes that the value of data.role is trustworthy on the client side. Attackers can manipulate JavaScript in the browser (e.g., via browser dev tools or intercepting API responses) and set data.role to any arbitrary value (e.g., "admin"), gaining unauthorized access to restricted areas of the application.

Scoring

CVSS 3.19.1 (CRITICAL)
VectorCVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:N
EPSS0.33% probability of exploitation · percentile 25.1% · 2026-06-18T12:00:27Z
Published2025-05-22
Last modified2025-09-05

Underlying weaknesses· 1

CWE-863

References

  1. https://github.com/schule111/Schule/commit/cbf7f509c37acd69b4ab8ee19d842de867b46b7e
  2. https://github.com/schule111/Schule/security/advisories/GHSA-37h9-qq7c-6mc9

1

TypeTargetConfidenceTier
WeaknessIncorrect Authorizationcwe-8630%live

Related by meaning· 6

Nearest entities by semantic similarity across the cs-graph corpus.

CVE
CVE-2026-47324
CVE
CVE-2025-0849
CVE
CVE-2026-7491
CVE
CVE-2025-1144
CVE
CVE-2026-10167
CVE
CVE-2025-3587
Sourced from NVD + FIRST.org EPSS. Curated for EU compliance use cases by Adam Lundqvist, Founder at SQUR.