Insecure Direct Object Reference in School App by Zyosoft
CVE-2026-7491

8.6HIGH

Key Information:

Vendor: Zyosoft
Status: School App
Vendor: CVE Published:; 2 May 2026

What is CVE-2026-7491?

The School App, created by Zyosoft, contains an Insecure Direct Object Reference vulnerability. This flaw enables authenticated remote attackers to manipulate a specific parameter, allowing them to access and alter data belonging to other users. Such a vulnerability poses significant risks to user privacy and data integrity, making it crucial for organizations using this application to implement appropriate security measures and apply necessary updates promptly.

Affected Version(s)

School App Android 0 < 1.1.62

School App MacOS 0 < 2.7.2

References

https://www.twcert.org.tw/tw/cp-132-10896-e3240-1.html

third-party-advisory

https://www.twcert.org.tw/en/cp-139-10897-64257-2.html

third-party-advisory

CVSS V4

Score:

8.6

Severity:

HIGH

Confidentiality:

High

Integrity:

High

Availability:

None

Attack Vector:

Network

Attack Complexity:

Low

Attack Required:

None

Privileges Required:

Undefined

User Interaction:

None

Download the Critical Vulnerability Management Cheat Sheet

Timeline

Vulnerability published
May 2, 2026
Vulnerability Reserved
Apr 30, 2026

CVE-2026-7491 Data

JSON