CVE-2025-10077 is a SQL Injection vulnerability identified in SourceCodester Online Polling System version 1.0. The vulnerability resides in the /registeracc.php file, specifically in the handling of the 'email' parameter. An attacker can manipulate this parameter to inject arbitrary SQL commands into the backend database query. This injection flaw allows an unauthenticated remote attacker to execute unauthorized SQL queries without any user interaction or privileges. The vulnerability is exploitable over the network (AV:N), requires low attack complexity (AC:L), and does not require authentication (PR:N) or user interaction (UI:N). The impact on confidentiality, integrity, and availability is limited but present (VC:L, VI:L, VA:L), indicating partial compromise potential. The vulnerability has been publicly disclosed but no known exploits are currently observed in the wild. The CVSS v4.0 base score is 6.9, categorizing it as a medium severity issue. Exploitation could lead to unauthorized data access, data modification, or disruption of polling system functionality, potentially undermining the integrity of polling results and user data. The lack of patches or mitigation guidance from the vendor increases the risk for users of this software version.

For European organizations using SourceCodester Online Polling System 1.0, this vulnerability poses a risk to the confidentiality and integrity of polling data and user information. Exploitation could allow attackers to extract sensitive data such as user emails or manipulate polling results, which can affect decision-making processes, public opinion analysis, or internal organizational surveys. This is particularly critical for public sector entities, political organizations, or companies relying on polling data for strategic decisions. Additionally, data breaches involving personal information may lead to GDPR violations, resulting in legal and financial penalties. The availability impact is limited but could cause temporary disruption of polling services, affecting user trust and operational continuity. Since the vulnerability is remotely exploitable without authentication, attackers can target exposed systems over the internet, increasing the attack surface for European organizations with public-facing polling platforms.

Organizations should immediately audit their use of SourceCodester Online Polling System version 1.0 and identify any exposed instances of /registeracc.php. Given the absence of official patches, mitigation should focus on implementing web application firewalls (WAFs) with custom rules to detect and block SQL injection patterns targeting the 'email' parameter. Input validation and parameterized queries should be enforced if source code access is available, replacing vulnerable SQL query constructions. Network-level restrictions should be applied to limit access to the polling system to trusted IP ranges where feasible. Regular monitoring of logs for suspicious SQL syntax or unusual query patterns is recommended to detect exploitation attempts. Organizations should also consider migrating to updated or alternative polling solutions with secure coding practices. Finally, ensure compliance with GDPR by reviewing data protection measures and preparing incident response plans in case of data compromise.