CVE-2025-10601 is a SQL Injection vulnerability identified in SourceCodester Online Exam Form Submission version 1.0. The vulnerability exists in an unspecified function within the /admin/index.php file, where the 'email' parameter is improperly sanitized or validated, allowing an attacker to inject malicious SQL code. This flaw enables remote exploitation without requiring authentication or user interaction, as the attack vector is through a network request manipulating the email argument. The vulnerability can lead to unauthorized access to the backend database, potentially exposing sensitive data, modifying or deleting records, or escalating privileges within the application. The CVSS 4.0 base score is 6.9 (medium severity), reflecting the network attack vector, low complexity, no privileges or user interaction needed, but limited impact on confidentiality, integrity, and availability. Although no known exploits are currently observed in the wild, the public disclosure of the exploit code increases the risk of active exploitation. The vulnerability affects only version 1.0 of the product, which is a niche online exam form submission system, typically used by educational institutions or training providers to manage exam registrations and submissions.

For European organizations, especially educational institutions, training centers, and certification bodies using SourceCodester Online Exam Form Submission 1.0, this vulnerability poses a significant risk. Exploitation could lead to unauthorized access to personal data of students or candidates, including emails and potentially other sensitive information stored in the database. This could result in data breaches violating GDPR regulations, leading to legal and financial penalties. Additionally, attackers could manipulate exam submission data, undermining the integrity of exam results and damaging institutional reputation. The ability to execute SQL injection remotely without authentication increases the attack surface, making it easier for threat actors to target vulnerable deployments. Although the product is specialized and may have limited deployment, any affected organization in Europe faces risks to confidentiality, data integrity, and availability of exam services.

Organizations should immediately assess their use of SourceCodester Online Exam Form Submission version 1.0 and prioritize upgrading to a patched version once available. In the absence of an official patch, implement input validation and parameterized queries or prepared statements to sanitize the 'email' parameter and any other user inputs in /admin/index.php. Employ Web Application Firewalls (WAFs) with custom rules to detect and block SQL injection patterns targeting the email parameter. Conduct thorough code reviews and penetration testing focusing on injection flaws. Restrict access to the admin interface by IP whitelisting or VPN to reduce exposure. Monitor logs for suspicious queries or repeated failed attempts to exploit the injection. Backup databases regularly and ensure incident response plans are updated to handle potential data breaches. Finally, educate administrators about the risks and signs of SQL injection attacks.