Scan free
LOWCVE-2025-13784CVSS 2.4

CVE-2025-13784: XSS in yungifez Skuul School Management System

Platform

php

Component

yungifez/skuul

Fixed in

2.6.1

2.6.2

2.6.3

2.6.4

2.6.5

2.6.6

2.6.6

AI Confidence: highNVDEPSS 0.0%Reviewed: May 2026
View on NVD
Save

A cross-site scripting (XSS) vulnerability has been identified in yungifez Skuul School Management System versions up to 2.6.5. This flaw resides within the SVG File Handler component, specifically affecting the /dashboard/schools/1/edit file. Successful exploitation allows an attacker to inject malicious scripts, potentially compromising user sessions and system integrity. A fix is available in version 2.6.6.

Impact and Attack Scenarios

This XSS vulnerability allows an attacker to inject arbitrary JavaScript code into the Skuul School Management System. An attacker could leverage this to steal user credentials, redirect users to malicious websites, or deface the application. The vulnerability's location within the /dashboard/schools/1/edit page suggests that administrators are particularly at risk, as they often have elevated privileges within the system. Given the public availability of an exploit, rapid exploitation is likely. The impact could extend beyond the immediate application, potentially affecting any systems accessible through compromised administrator accounts.

Exploitation Context

This vulnerability has been publicly disclosed and an exploit is available, indicating a high likelihood of exploitation. The CVE was published on 2025-11-30. The vendor has not responded to early disclosure attempts. The CVSS score of 2.4 (LOW) reflects the relatively limited impact and ease of exploitation, but the public exploit significantly increases the risk.

Threat Intelligence

Exploit Status

Proof of ConceptUnknown
CISA KEVNO
Internet ExposureHigh

EPSS

0.04% (13% percentile)

CISA SSVC

Exploitationpoc
Automatableno
Technical Impactpartial

CVSS Vector

THREAT INTELLIGENCE· CVSS 3.1CVSS:3.1/AV:N/AC:L/PR:H/UI:R/S:U/C:N/I:L/A:N2.4LOWAttack VectorNetworkHow the attacker reaches the targetAttack ComplexityLowConditions required to exploitPrivileges RequiredHighAuthentication level needed to attackUser InteractionRequiredWhether a victim must take actionScopeUnchangedImpact beyond the vulnerable componentConfidentialityNoneRisk of sensitive data exposureIntegrityLowRisk of unauthorized data modificationAvailabilityNoneRisk of service disruptionnextguardhq.com · CVSS v3.1 Base Score
What do these metrics mean?
Attack Vector
Network — remotely exploitable over the internet. No physical or local access required. Widest attack surface.
Attack Complexity
Low — no special conditions required. Attacker can exploit reliably without depending on rare configurations or timing.
Privileges Required
High — admin or privileged account required to exploit.
User Interaction
Required — victim must take an action: open a file, click a link, or visit a crafted page.
Scope
Unchanged — impact is limited to the vulnerable component itself.
Confidentiality
None — no confidentiality impact. Attacker cannot read protected data.
Integrity
Low — attacker can modify some data with limited scope or impact.
Availability
None — no availability impact. Service remains fully operational.

Affected Software

Componentyungifez/skuul
Vendorosv
Affected rangeFixed in
2.6.0 – 2.6.02.6.1
2.6.1 – 2.6.12.6.2
2.6.2 – 2.6.22.6.3
2.6.3 – 2.6.32.6.4
2.6.4 – 2.6.42.6.5
2.6.5 – 2.6.52.6.6
2.6.52.6.6

Package Information

Last updated
V2.6.49 months ago

Weakness Classification (CWE)

CWE-79CWE-94

Timeline

  1. Reserved
  2. Published
  3. Modified
  4. EPSS updated

Mitigation and Workarounds

The primary mitigation for CVE-2025-13784 is to upgrade to version 2.6.6 or later. If upgrading is not immediately feasible, consider implementing input validation and output encoding on user-supplied data within the /dashboard/schools/1/edit page. Web application firewalls (WAFs) configured to detect and block XSS payloads can provide an additional layer of defense. Regularly review and sanitize any SVG files uploaded to the system to prevent malicious code injection.

How to fix

Update to a patched version or apply mitigations provided by the vendor, if available. Given that the vendor does not respond, it is recommended to analyze the vulnerable code and apply a patch manually to prevent the execution of unwanted scripts. Validating and sanitizing SVG file inputs is crucial to prevent XSS attacks.

CVE Security Newsletter

Vulnerability analysis and critical alerts directly to your inbox.

Frequently asked questions

What is CVE-2025-13784 — XSS in yungifez Skuul School Management System?

CVE-2025-13784 is a cross-site scripting (XSS) vulnerability affecting yungifez Skuul School Management System versions up to 2.6.5, allowing attackers to inject malicious scripts.

Am I affected by CVE-2025-13784 in yungifez Skuul School Management System?

You are affected if you are using yungifez Skuul School Management System versions 2.6.5 or earlier. Upgrade to 2.6.6 or later to mitigate the risk.

How do I fix CVE-2025-13784 in yungifez Skuul School Management System?

The recommended fix is to upgrade to version 2.6.6 or later. Implement input validation and output encoding as a temporary workaround.

Is CVE-2025-13784 being actively exploited?

Yes, a public exploit is available, indicating a high probability of active exploitation.

Where can I find the official yungifez advisory for CVE-2025-13784?

The vendor has not responded to early disclosure attempts. Check the yungifez website and GitHub repository for updates.

Is your project affected?

Upload your dependency file and we'll tell you instantly if this and other CVEs hit you.

Scan freeSearch CVEs