CVE-2025-10448 is a SQL Injection vulnerability identified in version 1.0 of the Campcodes Online Job Finder System, specifically affecting the /index.php?q=result&searchfor=bycompany endpoint. The vulnerability arises from improper sanitization of the 'Search' parameter, allowing an attacker to inject malicious SQL code remotely without any authentication or user interaction. This flaw enables an attacker to manipulate backend database queries, potentially leading to unauthorized data disclosure, data modification, or even complete compromise of the underlying database. The CVSS 4.0 base score is 6.9 (medium severity), reflecting the network attack vector, low attack complexity, no privileges or user interaction required, but limited impact on confidentiality, integrity, and availability. Although no known exploits are currently observed in the wild, the exploit code has been published, increasing the risk of exploitation. The vulnerability affects only version 1.0 of the product, which is a niche online job finder system developed by Campcodes. The lack of patch links suggests that a fix may not yet be available, emphasizing the need for immediate mitigation by affected users. Given the nature of the vulnerability, attackers could extract sensitive user information, manipulate job listings, or disrupt service availability, impacting both users and organizations relying on this platform for recruitment or job search activities.

For European organizations using the Campcodes Online Job Finder System 1.0, this vulnerability poses a moderate risk. Exploitation could lead to unauthorized access to personal data of job seekers and employers, violating GDPR requirements and potentially resulting in regulatory penalties. Data integrity could be compromised by altering job listings or user profiles, undermining trust in the platform. Availability impacts are less severe but possible if attackers execute denial-of-service conditions via crafted SQL payloads. Organizations relying on this system for recruitment may face operational disruptions and reputational damage. Since the exploit requires no authentication and can be initiated remotely, attackers can target European entities without insider access. The medium severity score indicates a significant but not critical threat; however, the presence of published exploit code increases the urgency for mitigation. The impact is particularly relevant for HR departments, recruitment agencies, and job boards operating within Europe that have integrated this system or use it as a core component.

To mitigate this vulnerability, European organizations should immediately implement input validation and parameterized queries or prepared statements in the affected /index.php?q=result&searchfor=bycompany endpoint to prevent SQL injection. If source code access is available, developers must sanitize and validate all user inputs rigorously. In the absence of an official patch, organizations should consider deploying Web Application Firewalls (WAFs) with custom rules to detect and block SQL injection payloads targeting the vulnerable parameter. Monitoring web server logs for suspicious query patterns related to 'searchfor=bycompany' can help identify attempted exploitation. Additionally, organizations should isolate the affected system from critical internal networks to limit lateral movement if compromised. Regular backups of the database should be maintained to enable recovery in case of data tampering. Finally, organizations should engage with Campcodes for updates or patches and plan for an upgrade to a fixed version once available. User awareness and restricting public access to the vulnerable interface can further reduce risk.