CVE-2025-10351 is a critical SQL injection vulnerability identified in the Melis Platform developed by Melis Technology, affecting the melis-cms module. The vulnerability arises from improper neutralization of special elements in SQL commands (CWE-89) via the 'idPage' parameter in the '/melis/MelisCms/PageEdition/getTinyTemplates' endpoint. This flaw allows an unauthenticated attacker to inject malicious SQL queries, enabling them to retrieve, create, update, or delete database records arbitrarily. The vulnerability is remotely exploitable over the network without any authentication or user interaction, as indicated by the CVSS 4.0 vector (AV:N/AC:L/AT:N/PR:N/UI:N). The impact on confidentiality, integrity, and availability is high, as attackers can fully compromise the backend database, potentially leading to data breaches, data loss, or service outages. No patches or official fixes have been released yet, and no known exploits have been observed in the wild, but the vulnerability's critical nature demands urgent attention. The Melis Platform is used in content management scenarios, and exploitation could affect websites and applications relying on this platform, exposing sensitive business or user data. The vulnerability was reserved on 2025-09-12 and published on 2025-10-08 by INCIBE, highlighting its recent discovery and public disclosure.

For European organizations, this vulnerability poses a significant risk of data breaches, unauthorized data manipulation, and potential service disruption. Attackers exploiting this flaw can access sensitive information stored in the databases, including user data, configuration details, or intellectual property. The ability to modify or delete data can lead to operational downtime, loss of data integrity, and reputational damage. Organizations in sectors such as government, finance, healthcare, and media that use the Melis Platform for content management or web services are particularly vulnerable. The lack of authentication and user interaction requirements lowers the barrier for exploitation, increasing the likelihood of attacks. Additionally, regulatory compliance risks arise under GDPR due to potential exposure of personal data. The critical severity and ease of exploitation make this vulnerability a high priority for European entities to address promptly.

1. Immediate mitigation should focus on applying any available patches or updates from Melis Technology once released. 2. Until patches are available, implement Web Application Firewall (WAF) rules to detect and block SQL injection attempts targeting the 'idPage' parameter and the affected endpoint. 3. Conduct thorough input validation and sanitization on all user-supplied parameters, especially 'idPage', to prevent injection of malicious SQL code. 4. Employ parameterized queries or prepared statements in the application code to eliminate direct concatenation of user input into SQL commands. 5. Restrict database user privileges to the minimum necessary, preventing the application from performing destructive operations if compromised. 6. Monitor logs and network traffic for unusual database queries or access patterns indicative of exploitation attempts. 7. Perform security audits and penetration tests focusing on injection vulnerabilities in the Melis Platform environment. 8. Educate development and security teams about secure coding practices and the risks of SQL injection. 9. Consider isolating the affected service or endpoint until a fix is applied to reduce exposure. 10. Maintain up-to-date backups to enable recovery in case of data loss or corruption.