Classroomio: community verdicts
5 notable / known-exploited Classroomio CVEs the community has triaged.
- CVE-2025-65669CRIT 9.1Real · low riskEPSS 0%
An issue was discovered in classroomio 0.1.13. Student accounts are able to delete courses from the Explore page without any authorization or authentication checks, bypassing the expected admin-only deletion restriction.
- CVE-2025-65672HIGH 7.5Real · low riskEPSS 0%
Insecure Direct Object Reference (IDOR) in classroomio 0.1.13 allows unauthorized share and invite access to course settings.
- CVE-2025-65670MED 4.3EPSS 0%
An Insecure Direct Object Reference (IDOR) in classroomio 0.1.13 allows students to access sensitive admin/teacher endpoints by manipulating course IDs in URLs, resulting in unauthorized disclosure of sensitive course, admin, and student data. The leak occurs momentarily before the system reverts to a normal state restricting access.
- CVE-2025-65675MED 5.4EPSS 0%
Stored Cross site scripting (XSS) vulnerability in Classroomio LMS 0.1.13 allows authenticated attackers to execute arbitrary code via crafted SVG profile pictures.
- CVE-2025-65676MED 5.4EPSS 0%
Stored Cross site scripting (XSS) vulnerability in Classroomio LMS 0.1.13 allows authenticated attackers to execute arbitrary code via crafted SVG cover images.