CVE-2025-10076 is a SQL Injection vulnerability identified in SourceCodester Online Polling System version 1.0, specifically within the /manage-profile.php file. The vulnerability arises from improper sanitization or validation of the 'email' parameter, which can be manipulated by an attacker to inject malicious SQL code. This injection flaw allows remote attackers to execute arbitrary SQL commands on the backend database without requiring authentication or user interaction. The CVSS 4.0 base score is 6.9 (medium severity), reflecting that the attack vector is network-based (AV:N), requires no privileges (PR:N), and no user interaction (UI:N). The impact on confidentiality, integrity, and availability is limited but present (VC:L, VI:L, VA:L), indicating partial compromise potential. The vulnerability does not affect system components beyond the database scope (SC:N), and the exploitability is rated as probable (E:P). Although no public exploit is currently known to be actively used in the wild, the exploit code has been made publicly available, increasing the risk of exploitation. The vulnerability could allow attackers to extract sensitive data, modify or delete records, or disrupt polling system operations, which could undermine the integrity and trustworthiness of polling results. Since the affected product is an online polling system, the impact extends to data integrity and availability of polling services, potentially affecting decision-making processes relying on these polls.

For European organizations using SourceCodester Online Polling System 1.0, this vulnerability poses a significant risk to the confidentiality and integrity of polling data. Attackers exploiting this flaw could manipulate poll results, leading to misinformation or skewed data that could affect public opinion analysis, market research, or internal decision-making. The availability of the polling system could also be disrupted, causing service outages or denial of service. Given the medium severity and the lack of authentication requirements, attackers can remotely exploit this vulnerability without needing credentials, increasing the attack surface. Organizations involved in political polling, public opinion research, or customer feedback collection in Europe could face reputational damage, regulatory scrutiny under GDPR if personal data is exposed, and operational disruptions. The risk is heightened for entities that rely heavily on the integrity of polling data for compliance, strategic decisions, or public communication.

To mitigate CVE-2025-10076, organizations should immediately review and sanitize all inputs, especially the 'email' parameter in /manage-profile.php, using parameterized queries or prepared statements to prevent SQL injection. Since no official patch is currently available, applying a Web Application Firewall (WAF) with custom rules to detect and block SQL injection patterns targeting the vulnerable endpoint is recommended. Conduct thorough code audits to identify similar injection points in the application. Restrict database user permissions to the minimum necessary to limit the impact of potential exploitation. Monitor logs for suspicious activities related to SQL injection attempts. If feasible, isolate the polling system from critical internal networks and restrict access to trusted IP addresses. Organizations should also plan for an upgrade or replacement of the vulnerable software version once a patch is released. Regular backups of polling data should be maintained to enable recovery in case of data tampering or loss.