A newly disclosed security vulnerability in the yungifez Skuul School Management System, affecting versions up to 2.6.5, could allow attackers to manipulate resource identifiers and potentially access or alter student fee invoice information. The flaw, categorized as a resource injection, highlights ongoing challenges in securing educational technology platforms.
Tracked as CVE-2025-12918, the issue stems from improper handling of the ‘invoice_id’ argument within the system’s “View Fee Invoice” component, specifically in the /dashboard/fees/fee-invoices/ section. While considered difficult to exploit, a public proof-of-concept exists, raising concerns for institutions using the software.
The vulnerability, detailed by VulDB and credited to security researcher Zeeshan Khan, falls under the CWE-99: Improper Control of Resource Identifiers category. This type of weakness occurs when an application incorrectly handles paths or references to internal resources, allowing an attacker to request or manipulate unintended files or data. In this instance, manipulating the invoice_id argument could grant unauthorized access to fee invoices.
The attack, which can be carried out remotely, is described as having “high complexity,” suggesting it requires specific knowledge and effort to execute successfully. However, the release of an exploit to the public, documented in a GitHub Gist, significantly lowers the barrier for potential malicious actors. Despite early disclosure, the vendor, yungifez, has reportedly not responded to the vulnerability report, leaving affected organizations in a precarious position.
The lack of vendor response underscores a persistent problem in software security, where vulnerabilities remain unpatched and users are left exposed. Educational institutions relying on systems like Skuul are urged to monitor for official updates or consider mitigation strategies to protect sensitive financial and student data.