CVE-2025-65676

MEDIUM

Classroomio 0.1.13 - Authenticated Stored Cross-Site Scripting via SVG Cover Image

Title source: llm
STIX 2.1

Exploitation Summary

EIP tracks 1 public exploit for CVE-2025-65676. PoCs published by Rivek619.

AI-analyzed exploit summary This repository contains a writeup detailing a stored XSS vulnerability in Classroomio LMS 0.1.13, where authenticated attackers can upload malicious SVG files to execute arbitrary JavaScript. The writeup includes steps to reproduce the vulnerability and screenshots demonstrating the exploit.

Description

Stored Cross site scripting (XSS) vulnerability in Classroomio LMS 0.1.13 allows authenticated attackers to execute arbitrary code via crafted SVG cover images.

Exploits (1)

nomisec WRITEUP
by Rivek619 · poc
https://github.com/Rivek619/CVE-2025-65676

This repository contains a writeup detailing a stored XSS vulnerability in Classroomio LMS 0.1.13, where authenticated attackers can upload malicious SVG files to execute arbitrary JavaScript. The writeup includes steps to reproduce the vulnerability and screenshots demonstrating the exploit.

Classification
Writeup 90%
Attack Type
Xss
Complexity
Trivial
Reliability
Reliable
Target: Classroomio LMS 0.1.13
Auth required
Prerequisites: Authenticated access to Classroomio LMS · Ability to upload course cover images
devstral-2 · analyzed Feb 16, 2026 Full analysis →

References (3)

Core 3

Scores

CVSS v3 5.4
EPSS 0.0023
EPSS Percentile 13.6%
Attack Vector NETWORK
CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N

CISA SSVC

Vulnrichment
Exploitation poc
Automatable no
Technical Impact partial

Details

CWE
CWE-79
Status published
Products (1)
classroomio/classroomio 0.1.13
Published Nov 26, 2025
Tracked Since Feb 18, 2026