ByteOS Network

Clickedu

Source -

CNA

BOS Name -

N/A

CNA CVEs -

ADP CVEs -

CISA CVEs -

NVD CVEs -

2Vulnerabilities found

CVE-2026-2247

Assigner-Spanish National Cybersecurity Institute, S.A. (INCIBE)

View Details

Assigner-Spanish National Cybersecurity Institute, S.A. (INCIBE)

CVSS Score-8.3||HIGH

EPSS-0.14% / 34.33%

7 Day CHG~0.00%

Published-17 Feb, 2026 | 11:35

Updated-18 Feb, 2026 | 17:52

SQL Injection in Clickedu's SaaS platform

SQL injection vulnerability (SQLi) in Clicldeu SaaS, specifically in the generation of reports, which occurs when a previously authenticated remote attacker executes a malicious payload in the URL generated after downloading the student's report card in the ‘Day-to-day’ section from the mobile application. In the URL of the generated PDF, the session token used does not expire, so it remains valid for days after its generation, and unusual characters can be entered after the ‘id_alu’ parameter, resulting in two types of SQLi: boolean-based blind and time-based blind. Exploiting this vulnerability could allow an attacker to access confidential information in the database.

Vendor-Clickedu

Product-SaaS platform

CWE ID-CWE-89

Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection')

CVE-2025-40650

Assigner-Spanish National Cybersecurity Institute, S.A. (INCIBE)

View Details

Assigner-Spanish National Cybersecurity Institute, S.A. (INCIBE)

CVSS Score-8.7||HIGH

EPSS-0.08% / 23.43%

7 Day CHG~0.00%

Published-26 May, 2025 | 12:51

Updated-28 May, 2025 | 15:01

Insecure Direct Object Reference (IDOR) in Clickedu

Insecure Direct Object Reference (IDOR) vulnerability in Clickedu. This vulnerability could allow an attacker to retrieve information about student report cards.

Vendor-Clickedu

Product-Clickedu

CWE ID-CWE-639

Authorization Bypass Through User-Controlled Key