CVE-2025-10351 is a critical SQL injection vulnerability identified in the Melis Technology Melis Platform, specifically affecting the melis-cms module. The vulnerability arises from improper neutralization of special elements used in SQL commands (CWE-89), allowing attackers to inject malicious SQL code through the 'idPage' parameter in the '/melis/MelisCms/PageEdition/getTinyTemplates' endpoint. This endpoint fails to properly sanitize or parameterize user input, enabling attackers to manipulate backend SQL queries. Exploitation requires no authentication or user interaction, making it trivially exploitable remotely over the network. Successful exploitation can lead to unauthorized access to the database, allowing attackers to retrieve sensitive information, create, update, or delete database records, potentially compromising confidentiality, integrity, and availability of the affected systems. The vulnerability has been assigned a CVSS 4.0 base score of 9.3, reflecting its critical severity with network attack vector, low attack complexity, no privileges required, and no user interaction needed. Although no known exploits are currently reported in the wild, the vulnerability’s characteristics suggest it could be weaponized rapidly. The affected version is listed as '0', which likely indicates an initial or early release version of the Melis Platform. The lack of available patches or mitigations from the vendor at the time of publication increases the urgency for organizations to implement compensating controls. The vulnerability was reserved and published by INCIBE, a respected European cybersecurity entity, indicating regional awareness and relevance.

For European organizations, the impact of CVE-2025-10351 is significant due to the critical nature of the vulnerability and the potential for full database compromise. Organizations using the Melis Platform in sectors such as government, finance, healthcare, or critical infrastructure could face severe data breaches, data loss, or service disruption. The ability to manipulate database contents can lead to unauthorized disclosure of sensitive personal or corporate data, violation of GDPR and other data protection regulations, and operational downtime. Attackers could also leverage this vulnerability to pivot into other parts of the network or implant persistent backdoors. The lack of authentication requirements and ease of exploitation increase the risk of widespread automated attacks. European entities relying on Melis for content management or web services must consider the reputational, legal, and financial consequences of exploitation. Additionally, the vulnerability could be exploited for ransomware or data destruction campaigns, further amplifying its impact.

1. Immediate implementation of input validation and sanitization on the 'idPage' parameter to prevent malicious SQL code injection. 2. Employ parameterized queries or prepared statements in the affected endpoint to ensure SQL commands are safely constructed. 3. Conduct a thorough code review of the melis-cms module and other components for similar injection flaws. 4. Monitor database logs and application logs for unusual queries or access patterns indicative of exploitation attempts. 5. Restrict network access to the vulnerable endpoint using firewalls or web application firewalls (WAFs) with specific rules to detect and block SQL injection payloads. 6. If possible, isolate the database with strict access controls and least privilege principles to limit damage from a successful attack. 7. Engage with Melis Technology for official patches or updates and apply them promptly once available. 8. Perform penetration testing and vulnerability scanning focused on SQL injection vectors to identify residual risks. 9. Educate development teams on secure coding practices to prevent recurrence of injection vulnerabilities. 10. Prepare incident response plans specific to database compromise scenarios to reduce response time if exploitation occurs.