CVE-2025-65675 is a stored cross-site scripting (XSS) vulnerability identified in Classroomio LMS version 0.1.13. The vulnerability arises from insufficient sanitization of SVG profile picture uploads, allowing authenticated users to embed malicious scripts within SVG files. When these crafted SVG images are rendered by other users or administrators, the embedded scripts execute in their browsers, leading to arbitrary code execution within the context of the LMS web application. This persistent XSS can be exploited to hijack user sessions, steal sensitive information, perform actions on behalf of victims, or pivot to further attacks within the LMS environment. The vulnerability requires the attacker to be authenticated, which limits exposure to internal or registered users but does not eliminate risk, especially in environments with many users or weak access controls. No official CVSS score has been assigned yet, but the nature of stored XSS combined with arbitrary code execution potential makes this a significant threat. The lack of available patches or mitigations at the time of disclosure increases the urgency for organizations to implement compensating controls. Classroomio LMS is used in educational settings, where protecting student and faculty data is critical. The vulnerability highlights the risks of allowing SVG uploads without proper sanitization, as SVG files can contain embedded JavaScript. Attackers can exploit this vector to compromise confidentiality, integrity, and availability of the LMS platform.

For European organizations, particularly educational institutions using Classroomio LMS, this vulnerability could lead to unauthorized access to sensitive student and faculty data, session hijacking, and potential disruption of learning services. The persistent nature of stored XSS means that once exploited, the malicious code can affect multiple users over time, increasing the scope of impact. Confidentiality is at risk due to potential data theft, integrity can be compromised through unauthorized actions performed by attackers, and availability may be affected if the LMS is manipulated or taken offline. Given the increasing reliance on digital learning platforms in Europe, exploitation could undermine trust in these systems and lead to regulatory consequences under GDPR if personal data is exposed. The requirement for authentication reduces the attack surface but does not eliminate risk, especially in large institutions with many users. The absence of known exploits in the wild currently provides a window for proactive defense, but the vulnerability should be treated as high risk due to the ease of exploitation once authenticated and the potential for widespread impact.

European organizations should immediately implement strict input validation and sanitization for SVG uploads, ideally disabling SVG uploads entirely if not required. Employ server-side sanitization libraries specifically designed to remove scripts and malicious content from SVG files. Implement Content Security Policy (CSP) headers to restrict script execution and reduce the impact of any injected scripts. Enforce strong authentication and role-based access controls to limit who can upload profile pictures. Monitor LMS logs for unusual upload activity or script execution attempts. Educate users about the risks of uploading untrusted content. If possible, upgrade to a patched version of Classroomio LMS once available. In the interim, consider disabling profile picture uploads or restricting them to non-SVG formats. Conduct regular security assessments and penetration tests focused on input handling and XSS vulnerabilities. Finally, prepare incident response plans to quickly address any exploitation attempts.