CVE-2025-10617 is a SQL Injection vulnerability identified in SourceCodester Online Polling System version 1.0, specifically within the /admin/positions.php file. The vulnerability arises from improper sanitization or validation of the 'ID' parameter, which is susceptible to malicious input manipulation. An attacker can exploit this flaw remotely without requiring user interaction or prior authentication, by crafting specially designed requests that inject SQL commands into the backend database query. This can lead to unauthorized data access, modification, or deletion, potentially compromising the confidentiality and integrity of the polling system's data. The vulnerability has a CVSS 4.0 base score of 5.3, indicating a medium severity level, with characteristics including network attack vector, low attack complexity, no privileges required, and no user interaction needed. The impact on availability and integrity is limited but present, and the scope is unchanged as the vulnerability affects only the vulnerable component. Although no public exploits are currently known in the wild, the exploit code has been made publicly available, increasing the risk of exploitation. The lack of a patch or mitigation from the vendor at this time further elevates the threat to organizations using this software. Given the nature of the application—a polling system—successful exploitation could allow attackers to manipulate poll results, access sensitive voter data, or disrupt polling operations.

For European organizations, especially those relying on SourceCodester Online Polling System 1.0 for internal or public polling activities, this vulnerability poses a risk to data confidentiality and integrity. Manipulation of polling data could undermine trust in organizational decision-making processes or public opinion assessments. Additionally, unauthorized access to administrative functions could expose sensitive voter information or internal system details. While the vulnerability does not directly affect availability to a critical extent, disruption of polling services could impact organizational operations or public engagement initiatives. The medium severity rating suggests that while the threat is not critical, it is significant enough to warrant prompt attention, particularly in sectors where polling data integrity is crucial, such as governmental agencies, political organizations, or market research firms within Europe.

Organizations should immediately audit their use of SourceCodester Online Polling System version 1.0 and assess exposure of the /admin/positions.php endpoint. As no official patch is currently available, practical mitigations include implementing web application firewalls (WAFs) with custom rules to detect and block SQL injection attempts targeting the 'ID' parameter. Input validation and parameterized queries should be enforced if organizations maintain or customize the software. Restricting access to the administrative interface by IP whitelisting or VPN-only access can reduce exposure. Regular monitoring of logs for suspicious query patterns or repeated failed attempts is recommended. Organizations should also consider migrating to updated or alternative polling systems with active security support. Finally, maintaining backups of polling data and configurations will aid recovery if exploitation occurs.