CVE-2025-10104 is a SQL Injection vulnerability identified in version 1.0 of the code-projects Online Event Judging System, specifically within an unspecified function in the /review_search.php file. The vulnerability arises from improper sanitization or validation of the 'txtsearch' parameter, which is used in SQL queries. An attacker can remotely exploit this flaw by manipulating the 'txtsearch' argument to inject malicious SQL code. This injection can lead to unauthorized access to the backend database, allowing attackers to read, modify, or delete data, potentially compromising the confidentiality, integrity, and availability of the system's data. The vulnerability does not require authentication or user interaction, making it easier to exploit. The CVSS 4.0 base score is 6.9 (medium severity), reflecting the network attack vector, low attack complexity, no privileges or user interaction required, and limited impact on confidentiality, integrity, and availability. Although no public exploits are currently known in the wild, the vulnerability has been publicly disclosed, increasing the risk of exploitation by threat actors. The lack of available patches or mitigations from the vendor further elevates the urgency for organizations using this software to implement protective measures.

For European organizations utilizing the code-projects Online Event Judging System 1.0, this vulnerability poses a significant risk. Exploitation could lead to unauthorized disclosure of sensitive event judging data, manipulation of event results, or disruption of event operations. This can damage organizational reputation, lead to loss of trust among stakeholders, and potentially cause regulatory compliance issues under GDPR if personal or sensitive data is exposed. The remote and unauthenticated nature of the exploit increases the likelihood of attacks, especially in environments where the system is accessible over the internet. Additionally, if the system integrates with other internal platforms, the SQL injection could serve as a pivot point for broader network compromise. The medium severity rating indicates a moderate but tangible threat that should not be underestimated, particularly for organizations relying heavily on the integrity and availability of event judging processes.

Given the absence of official patches, European organizations should immediately implement the following mitigations: 1) Employ Web Application Firewalls (WAFs) with custom rules to detect and block SQL injection attempts targeting the 'txtsearch' parameter in /review_search.php. 2) Restrict network access to the Online Event Judging System by limiting exposure to trusted IP addresses or internal networks only, reducing the attack surface. 3) Conduct thorough input validation and sanitization at the application level, if source code access is available, to neutralize malicious inputs. 4) Monitor logs for unusual query patterns or repeated failed attempts to exploit the 'txtsearch' parameter. 5) Consider deploying database-level protections such as least privilege accounts for the application and query parameterization to mitigate injection risks. 6) Plan for an urgent update or migration to a patched version once available from the vendor. 7) Educate relevant IT and security staff about this vulnerability and ensure incident response plans include detection and containment strategies for SQL injection attacks.