CVE-2025-65676 is a stored cross-site scripting vulnerability identified in Classroomio LMS version 0.1.13. The vulnerability arises from improper sanitization of SVG cover images uploaded by authenticated users. Attackers with valid credentials can craft malicious SVG files containing embedded scripts that execute in the context of other users who access the affected LMS content. This persistent XSS flaw allows execution of arbitrary JavaScript code, potentially leading to session hijacking, credential theft, or unauthorized actions within the LMS. The attack vector requires authentication, limiting exposure to users with upload privileges, but the impact extends to any user viewing the compromised content. No CVSS score has been assigned, and no patches or known exploits are currently reported. The vulnerability highlights a common risk in web applications that accept SVG files without adequate sanitization, as SVGs can embed executable scripts. Classroomio LMS, as an educational platform, is a critical tool for many organizations, making this vulnerability a significant concern for data integrity and user security.

For European organizations, particularly educational institutions and corporate training providers using Classroomio LMS, this vulnerability poses a risk of unauthorized code execution within their learning environments. Exploitation could lead to theft of user credentials, unauthorized access to sensitive educational data, manipulation of course content, and potential spread of malware. The persistent nature of stored XSS means that once a malicious SVG is uploaded, multiple users can be affected, amplifying the impact. This could undermine trust in the LMS platform and disrupt educational activities. Additionally, regulatory compliance such as GDPR could be implicated if personal data is compromised. The requirement for attacker authentication reduces the risk of external attackers but insider threats or compromised accounts could still exploit this vulnerability. The lack of patches increases the urgency for organizations to implement interim mitigations.

European organizations should immediately restrict or disable SVG file uploads in Classroomio LMS until a vendor patch is available. Implement strict input validation and sanitization on all uploaded image files, especially SVGs, to remove any embedded scripts or malicious content. Employ Content Security Policy (CSP) headers to limit script execution contexts within the LMS web application. Conduct regular audits of uploaded content to detect and remove suspicious files. Enforce strong authentication and monitoring to detect anomalous upload activities. Educate users about the risks of uploading untrusted files. If possible, isolate the LMS environment to limit lateral movement in case of exploitation. Coordinate with the vendor for timely patch deployment once available. Consider deploying web application firewalls (WAFs) with rules to detect and block XSS payloads in SVG uploads.