CVE-2025-10421 is a SQL Injection vulnerability identified in SourceCodester Student Grading System version 1.0, specifically within the /update_account.php script. The vulnerability arises due to improper sanitization or validation of the 'ID' parameter, which allows an attacker to manipulate the SQL query executed by the application. This manipulation can lead to unauthorized access or modification of the database contents. The vulnerability is remotely exploitable without requiring user interaction or authentication, increasing its risk profile. The CVSS 4.0 base score is 5.3 (medium severity), reflecting that the attack vector is network-based (AV:N), with low attack complexity (AC:L), no privileges required (PR:L), no user interaction (UI:N), and partial impacts on confidentiality, integrity, and availability (VC:L, VI:L, VA:L). Although no known exploits are currently observed in the wild, the exploit code has been published, making it feasible for attackers to leverage this vulnerability. The lack of available patches or vendor-provided fixes further elevates the risk for organizations using this software. The vulnerability affects only version 1.0 of the Student Grading System, which is typically used by educational institutions to manage student records and grading data. Exploitation could lead to unauthorized data disclosure, data tampering, or denial of service, impacting the integrity and confidentiality of sensitive academic information.

For European organizations, particularly educational institutions such as schools, colleges, and universities using SourceCodester Student Grading System 1.0, this vulnerability poses a significant risk. Successful exploitation could result in unauthorized access to student records, grades, and personal information, violating data protection regulations such as the GDPR. This could lead to reputational damage, legal penalties, and loss of trust among students and parents. Additionally, data integrity could be compromised, affecting academic outcomes and administrative processes. The remote and unauthenticated nature of the exploit increases the likelihood of attacks originating from external threat actors. Given the critical role of educational data, any disruption or data breach could have cascading effects on institutional operations and compliance obligations within the European context.

Organizations should immediately assess whether they are using SourceCodester Student Grading System version 1.0 and specifically the vulnerable /update_account.php component. Since no official patch is currently available, mitigation should focus on implementing web application firewall (WAF) rules to detect and block SQL injection attempts targeting the 'ID' parameter. Input validation and parameterized queries should be enforced if source code access is possible, replacing vulnerable code with prepared statements to prevent injection. Network segmentation and restricting access to the grading system to trusted internal networks can reduce exposure. Regular monitoring of logs for suspicious SQL queries or unusual activity related to the grading system is recommended. Additionally, organizations should plan for upgrading or replacing the vulnerable software with a secure alternative or a patched version once available. Conducting security awareness training for administrators managing the system can help in early detection and response to potential exploitation attempts.