Stored Cross Site Scripting Vulnerability in Smart School by Incibe
CVE-2025-41107

5.1MEDIUM

Key Information:

Vendor: Qdocs
Status: Smart Schoo
Vendor: CVE Published:; 10 November 2025

What is CVE-2025-41107?

A vulnerability exists in Smart School 7.0 that allows attackers to exploit insufficient validation of user input in POST requests to the '/online_admission' endpoint. This affects parameters such as 'firstname', 'lastname', and 'guardian_name', making it possible for an attacker to inject malicious scripts. A successful attack could result in the theft of session cookies from authenticated users, thereby compromising user sessions and sensitive data.

Affected Version(s)

Smart Schoo 7.0

References

https://www.incibe.es/en/incibe-cert/notices/aviso/stored...

CVSS V4

Score:

5.1

Severity:

MEDIUM

Confidentiality:

None

Integrity:

None

Availability:

None

Attack Vector:

Network

Attack Complexity:

Low

Attack Required:

None

Privileges Required:

Undefined

User Interaction:

Unknown

Download the Critical Vulnerability Management Cheat Sheet

Timeline

Vulnerability published
Nov 10, 2025
Vulnerability Reserved
Apr 16, 2025

Credit

Gonzalo Aguilar García (6h4ack)

JSON

Qdocs

What is CVE-2025-41107?

Affected Version(s)

References

CVSS V4

Timeline

Credit