LoginSign Up
← Back to all sparks
C

ClassroomIO

EDTECH
Velocity0.0

Open-source education platform and Moodle alternative — multi-teacher course management, assignments, and quizzes.

classroomio.com

Pre-1.0 open-source LMS in a security-hardening sprint after a wave of disclosed CVEs.

lmsopen-sourcesecurity-fixesearly-stagearchitectural-migration
Current state
ClassroomIO is an early-stage (0.2.x) open-source learning platform. The recent release log is dominated by security work: stored XSS via SVG upload, email-verification bypass vectors, and a full migration of client-side database calls to server-side authenticated endpoints with role-based filtering — three security releases inside a single week in early December 2025. The January 2026 patch is an unrelated content-save data-loss bug.
Where it's heading
The product has just walked through a security maturity gate. Moving from client-side DB access to a server-side API with auth middleware is a foundational change, not a cleanup — it implies the previous architecture wasn't safe to grow on. After it, the cadence drops to small bug fixes, which fits a team catching its breath after structural rework. There's no visible product-direction work yet (no new features, no AI, no integrations).
Prediction
Once the team is confident in the new server-side architecture, expect the next visible work to swing back to features — likely course-builder or learner-flow improvements that the prior architecture made hard. Another security release is possible but less likely given how comprehensive 0.2.8 was.

Recent moves

  1. 3mo ago

    0.2.11: fix: urgent fix for lessons not saving after moving to another lesson

    A silent-data-loss bug where editing a lesson and navigating to an empty lesson would issue a PATCH against a non-existent row and discard the user's edits without error. The first non-security release in the recent window — a sign the team is back to feature-flow bug-fixing after the December security sprint.

    View source ↗
  2. 5mo ago

    v0.2.8: Security Enhancement - Server-side API Migration

    ⚡ SPARK

    All database access moved off the client and behind a server-side API with role-based permission checks and auth middleware. This is the structural correction that the prior week's email-verification and XSS CVEs exposed as necessary — a turning point in the project's security posture.

    View source ↗
  3. 5mo ago

    Security Release v0.2.6: Email Verification Bypass Vulnerabilities Fixed

    Patched a set of email-verification bypass paths: client-side status manipulation, base64 token forgery, and DOM bypasses. Tagged as critical with CVEs pending — a hint of why the broader server-side API migration followed two days later.

    View source ↗
  4. 5mo ago

    v0.2.5: Critical SVG XSS Security Fix

    Stored XSS via SVG profile uploads — defensible with file-type validation and sanitisation. The first of three back-to-back security releases that culminated in the server-side architecture overhaul.

    View source ↗