CVE-2025-10601 is a SQL Injection vulnerability identified in SourceCodester Online Exam Form Submission version 1.0, specifically within an unknown function in the /admin/index.php file. The vulnerability arises due to improper sanitization or validation of the 'email' parameter, which can be manipulated by an attacker to inject malicious SQL code. This injection flaw allows an unauthenticated remote attacker to execute arbitrary SQL commands on the backend database without requiring any user interaction or privileges. The vulnerability has a CVSS 4.0 base score of 6.9, indicating a medium severity level. The attack vector is network-based (AV:N), with low attack complexity (AC:L), no privileges required (PR:N), and no user interaction needed (UI:N). The impact on confidentiality, integrity, and availability is low to limited (VC:L, VI:L, VA:L), suggesting that while exploitation can lead to unauthorized data access or modification, the scope and severity of damage are somewhat constrained. No patches or fixes have been publicly disclosed yet, and there are no known exploits actively used in the wild. The vulnerability disclosure date is September 17, 2025. Given the nature of the product—a web-based online exam form submission system—successful exploitation could lead to unauthorized access to sensitive exam data, user information, or administrative controls, potentially undermining the integrity of exam processes and confidentiality of user data.

For European organizations, especially educational institutions and certification bodies relying on SourceCodester Online Exam Form Submission 1.0, this vulnerability poses a significant risk to data confidentiality and integrity. Exploitation could lead to unauthorized access to personal data of students or candidates, exam results, and administrative credentials, potentially violating GDPR requirements concerning personal data protection. The integrity of exam results could be compromised, leading to reputational damage and legal consequences. Furthermore, if attackers modify or delete exam data, it could disrupt examination processes, causing operational downtime. Although the vulnerability is rated medium severity, the lack of authentication and user interaction requirements increases the risk of automated exploitation attempts. Organizations using this software without timely mitigation could face targeted attacks aiming to manipulate exam outcomes or exfiltrate sensitive information. The impact extends beyond data loss to include potential regulatory fines and loss of trust among stakeholders.

Given the absence of official patches, European organizations should immediately implement compensating controls. First, restrict access to the /admin/index.php interface by IP whitelisting or VPN-only access to limit exposure. Employ Web Application Firewalls (WAFs) with custom rules to detect and block SQL injection patterns targeting the 'email' parameter. Conduct thorough input validation and sanitization on all user-supplied data, especially email fields, using parameterized queries or prepared statements if source code access is available. Monitor logs for unusual database query patterns or repeated failed requests to detect exploitation attempts early. Additionally, organizations should plan to upgrade or replace the vulnerable software with a secure alternative or await vendor patches. Regular backups of exam data should be maintained to enable recovery in case of data tampering. Finally, raise awareness among IT and security teams about this vulnerability to ensure prompt incident response if exploitation is suspected.