CVE-2025-41107 is a stored Cross-Site Scripting (XSS) vulnerability classified under CWE-79, found in QDOCS Smart School version 7.0. The vulnerability stems from insufficient sanitization and validation of user-supplied input parameters such as 'firstname', 'lastname', and 'guardian_name' when processing POST requests to the '/online_admission' endpoint. Because the input is stored and later rendered in web pages viewed by authenticated users, an attacker can inject malicious JavaScript code that executes in the victim's browser context. This can lead to theft of session cookies, enabling session hijacking, unauthorized actions, or further exploitation within the application. The vulnerability does not require elevated privileges to exploit but does require the attacker to submit crafted data and for the victim to access the affected page. The CVSS 4.0 vector indicates network attack vector (AV:N), low attack complexity (AC:L), no privileges required (PR:L - low privileges), user interaction required (UI:P), and limited scope and impact confined to confidentiality. The vulnerability was published on November 10, 2025, and no patches or known exploits are currently available. The vulnerability is particularly concerning for educational institutions using Smart School 7.0, as it could compromise sensitive student and guardian data and disrupt school operations.

For European organizations, particularly educational institutions using QDOCS Smart School 7.0, this vulnerability poses a risk of session hijacking and unauthorized access to sensitive student and guardian information. Exploitation could lead to data breaches involving personally identifiable information (PII), undermining privacy compliance with GDPR. Attackers could impersonate authenticated users, potentially manipulating admission data or accessing restricted areas of the application. This could damage institutional reputation, result in regulatory penalties, and disrupt normal school operations. Since the vulnerability is stored XSS, it can persist and affect multiple users over time. The medium CVSS score reflects moderate risk, but the impact on confidentiality and integrity of sensitive data in educational contexts is significant. The lack of known exploits suggests a window for proactive mitigation before widespread abuse occurs.

1. Immediate mitigation should include implementing strict input validation and output encoding on all user-supplied data fields, especially 'firstname', 'lastname', 'guardian_name', and any other parameters accepted via the '/online_admission' endpoint. 2. Employ Content Security Policy (CSP) headers to restrict execution of unauthorized scripts in the browser context. 3. Use HTTP-only and Secure flags on session cookies to reduce risk of theft via XSS. 4. Monitor application logs for unusual POST requests or injection attempts targeting the vulnerable parameters. 5. Restrict access to the admission form to trusted users or IP ranges where feasible. 6. Engage with QDOCS for an official patch or update; if unavailable, consider temporary workarounds such as web application firewalls (WAF) with rules to detect and block XSS payloads. 7. Educate users to avoid clicking suspicious links or submitting untrusted data. 8. Conduct regular security assessments and penetration tests focusing on input validation and stored XSS vectors.