CVE-2025-10592 is a medium-severity SQL Injection vulnerability identified in the itsourcecode Online Public Access Catalog (OPAC) version 1.0. The vulnerability exists in the mysearch.php file, specifically in the POST parameter handler that processes the 'search_field' and 'search_text' arguments. Improper sanitization or validation of these parameters allows an attacker to inject malicious SQL code remotely without requiring authentication or user interaction. This can lead to unauthorized access to the backend database, potentially exposing sensitive data or enabling further compromise of the system. The vulnerability has been publicly disclosed, increasing the risk of exploitation, although no known exploits are currently observed in the wild. The CVSS 4.0 base score is 5.3, reflecting a network attack vector with low complexity and no privileges or user interaction needed, but with limited impact on confidentiality, integrity, and availability. The vulnerability affects only version 1.0 of the product, which is a catalog system commonly used by libraries and institutions to provide public access to their collections.

For European organizations, especially libraries, universities, and public institutions relying on the itsourcecode OPAC 1.0, this vulnerability poses a risk of unauthorized data disclosure or manipulation. Attackers exploiting this SQL Injection could extract sensitive user information, alter catalog data, or disrupt service availability. Given the public-facing nature of OPAC systems, the attack surface is broad, and exploitation can be performed remotely without authentication. This could undermine trust in public information services and potentially lead to compliance issues under GDPR if personal data is exposed. Additionally, successful exploitation might serve as a foothold for further attacks within organizational networks. The medium severity indicates moderate risk, but the public disclosure and ease of exploitation warrant prompt attention to prevent potential data breaches or service disruptions.

Organizations should immediately audit their deployment of itsourcecode Online Public Access Catalog OPAC version 1.0 to identify affected instances. Since no official patch links are provided, mitigation should focus on implementing input validation and parameterized queries or prepared statements in the mysearch.php component to prevent SQL Injection. Web application firewalls (WAFs) can be configured to detect and block SQL Injection payloads targeting the vulnerable parameters. Restricting database user permissions to the minimum necessary can limit the impact of a successful injection. Monitoring logs for suspicious query patterns and anomalous access attempts is advised. If possible, upgrading to a newer, patched version of the software or migrating to alternative OPAC solutions with secure coding practices is recommended. Regular security assessments and penetration testing should be conducted to verify the effectiveness of mitigations.