CVE-2025-10078 is a SQL Injection vulnerability identified in SourceCodester Online Polling System version 1.0, specifically within the /admin/candidates.php file. The vulnerability arises from improper sanitization or validation of the 'ID' parameter, which can be manipulated by an attacker to inject arbitrary SQL commands. This flaw allows remote attackers to execute unauthorized SQL queries against the backend database without requiring authentication or user interaction. The CVSS 4.0 base score of 6.9 (medium severity) reflects that the attack vector is network-based (AV:N), requires no privileges (PR:N), no user interaction (UI:N), and has partial impacts on confidentiality, integrity, and availability (VC:L, VI:L, VA:L). The vulnerability does not affect system confidentiality, integrity, or availability completely but can lead to unauthorized data disclosure, data modification, or partial service disruption. The exploit is publicly available, increasing the risk of exploitation, although no active exploitation in the wild has been reported yet. The absence of official patches or mitigation guidance from the vendor increases the urgency for organizations using this software to implement compensating controls. Given the nature of the affected system—an online polling platform—successful exploitation could compromise the integrity of polling data, potentially influencing decision-making processes or public opinion if used in political or organizational contexts. The vulnerability's remote exploitability and lack of authentication requirements make it a significant risk for any deployment of this software.

For European organizations, the impact of this vulnerability can be substantial, especially for entities relying on the SourceCodester Online Polling System for internal or public polling activities. Exploitation could lead to unauthorized disclosure of sensitive polling data, manipulation of candidate information, or disruption of polling services. This could undermine trust in polling results, affect organizational decision-making, or influence political processes if used in governmental or electoral contexts. Additionally, data leakage could expose personal information of participants, raising GDPR compliance concerns and potential legal liabilities. The partial compromise of data integrity and availability could also disrupt business operations or public services relying on accurate polling data. Given the public availability of the exploit code, there is an increased risk of opportunistic attacks targeting vulnerable installations across Europe.

Since no official patches are currently available, European organizations should prioritize the following mitigations: 1) Immediate code review and sanitization of all input parameters, especially the 'ID' parameter in /admin/candidates.php, using parameterized queries or prepared statements to prevent SQL injection. 2) Implement Web Application Firewalls (WAFs) with custom rules to detect and block SQL injection patterns targeting the vulnerable endpoint. 3) Restrict access to the /admin directory through network segmentation, IP whitelisting, or VPN access to limit exposure. 4) Conduct thorough security testing and vulnerability scanning on all instances of the polling system to identify and remediate similar injection flaws. 5) Monitor logs for suspicious activities related to SQL injection attempts and respond promptly. 6) Consider migrating to alternative polling systems with active security support if remediation is not feasible. 7) Educate administrators about the risks and signs of exploitation to enhance incident detection and response capabilities.