Zyosoft School App IOD Vulnerability Exposes Student Data

/HIGH /CVSS 8.1/10
Written by SCW Vulnerability Desk Vulnerability Intelligence
SCW vulnerabilitycvehigh-severitycwe-639
Zyosoft School App IOD Vulnerability Exposes Student Data

The National Vulnerability Database (NVD) has disclosed CVE-2026-7491, a high-severity Insecure Direct Object Reference (IOD) vulnerability in the School App developed by Zyosoft. This flaw, rated 8.1 CVSS (CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:N), allows an authenticated remote attacker to manipulate a specific parameter and gain unauthorized access to other users’ data.

This isn’t a theoretical risk; it’s a direct path to sensitive information. An attacker, even with low privileges, can modify user IDs or similar parameters to view and alter data belonging to other students, teachers, or administrators. This class of vulnerability (CWE-639) is a perennial problem in web applications, often due to insufficient authorization checks at the data access layer.

The implications for educational institutions using Zyosoft’s School App are severe. This vulnerability directly compromises data confidentiality and integrity, potentially exposing personal identifiable information (PII), academic records, and communication data. For attackers, it’s a low-effort, high-reward target: gain a single legitimate credential, and suddenly the entire user base is within reach.

What This Means For You

  • If your institution uses Zyosoft's School App, you need to immediately confirm if you are running an affected version. Demand a patch from Zyosoft and prioritize its deployment. Audit access logs for any anomalous data access patterns and ensure all user accounts adhere to strict least-privilege principles. This is a critical data breach waiting to happen.

Related ATT&CK Techniques

T1110 Brute Force Credential Access T1078.004 Abuse Cloud Accounts Initial Access T1190 Exploit Public-Facing Application Initial Access

🛡️ Detection Rules

3 rules · 6 SIEM formats

3 detection rules auto-generated for this incident, mapped to MITRE ATT&CK. Sigma YAML is free — export to any SIEM format via the Intel Bot.

critical T1190 Initial Access

CVE-2026-7491 - Zyosoft School App IOD - Unauthorized Data Access

Sigma YAML — free preview 
title: CVE-2026-7491 - Zyosoft School App IOD - Unauthorized Data Access
id: scw-2026-05-02-ai-1
status: experimental
level: critical
description: |
  Detects attempts to access or modify user/student data via insecure direct object references in the Zyosoft School App. This rule specifically looks for requests to common API endpoints that, when combined with the IOD vulnerability, allow unauthorized data access and modification.
author: SCW Feed Engine (AI-generated)
date: 2026-05-02
references:
  - https://shimiscyberworld.com/posts/nvd-CVE-2026-7491/
tags:
  - attack.initial_access
  - attack.t1190
logsource:
    category: webserver
detection:
  selection:
      cs-uri|contains:
          - '/api/users/'
          - '/api/students/'
      cs-method:
          - 'GET'
          - 'POST'
      sc-status:
          - '200'
      condition: selection
falsepositives:
  - Legitimate administrative activity

Source: Shimi's Cyber World · License & reuse

✓ Sigma · Splunk SPL Sentinel KQL Elastic QRadar AQL Wazuh Get rules for your SIEM →

Indicators of Compromise

IDTypeIndicator
CVE-2026-7491 IDOR School App developed by Zyosoft
CVE-2026-7491 IDOR Authenticated remote attackers can modify a specific parameter to read and modify other users' data.

Written by SCW Vulnerability Desk

Source & Attribution
Source PlatformNVD
ChannelNational Vulnerability Database
PublishedMay 02, 2026 at 13:16 UTC

This content was AI-rewritten and enriched by Shimi's Cyber World based on the original source. All intellectual property rights remain with the original author.

Believe this infringes your rights? Submit a takedown request.

Related coverage

CVE-2026-7627 — 8nite Metatrader-4-Mcp Path Traversal

CVE-2026-7627 — A security vulnerability has been detected in 8nite metatrader-4-mcp 1.0.0. This vulnerability affects the function CallToolRequestSchema of the file src/index.ts of the component...

vulnerabilityCVEmedium-severitypath-traversalcwe-22
/SCW Vulnerability Desk /MEDIUM /6.3 /⚑ 2 IOCs /⚙ 3 Sigma

CVE-2026-7612 — SQL Injection

CVE-2026-7612 — A vulnerability was determined in itsourcecode Courier Management System 1.0. Affected is an unknown function of the file /edit_user.php. Executing a manipulation of...

vulnerabilityCVEmedium-severitysql-injectioncwe-74cwe-89
/SCW Vulnerability Desk /MEDIUM /4.7 /⚑ 3 IOCs /⚙ 2 Sigma

CVE-2026-7609 — TRENDnet TEW-821DAP Command Injection

CVE-2026-7609 — A flaw has been found in TRENDnet TEW-821DAP up to 1.12B01. The impacted element is the function tools_diagnostic of the file /tmp/diagnostic of...

vulnerabilityCVEmedium-severitycommand-injectioncwe-77cwe-78
/SCW Vulnerability Desk /MEDIUM /6.3 /⚑ 3 IOCs /⚙ 2 Sigma