CVE-2025-10780 is a medium-severity SQL Injection vulnerability identified in version 1.0 of CodeAstro's Simple Pharmacy Management software. The vulnerability exists in an unspecified function within the /view.php file, where the 'bar_code' parameter is improperly sanitized, allowing an attacker to inject malicious SQL code. This flaw enables remote exploitation without requiring user interaction or authentication, as indicated by the CVSS vector (AV:N/AC:L/AT:N/UI:N/PR:L). The vulnerability impacts the confidentiality, integrity, and availability of the underlying database, as attackers can manipulate SQL queries to extract sensitive data, alter records, or disrupt service. Although the CVSS score is moderate at 5.3, the presence of remote exploitability and low attack complexity makes this a significant risk for affected deployments. No patches or fixes have been disclosed yet, and while no known exploits are currently active in the wild, the public disclosure of the vulnerability increases the likelihood of exploitation attempts. The affected product is a pharmacy management system, which typically handles sensitive patient and medication data, making the impact of a successful attack potentially severe in terms of privacy violations and operational disruption.

For European organizations, particularly healthcare providers and pharmacies using CodeAstro Simple Pharmacy Management 1.0, this vulnerability poses a tangible risk to patient data confidentiality and the integrity of pharmaceutical records. Exploitation could lead to unauthorized access to personal health information (PHI), violating GDPR requirements and potentially resulting in regulatory penalties and reputational damage. Additionally, manipulation or deletion of medication records could disrupt pharmacy operations, impacting patient safety and service continuity. Given the critical nature of healthcare infrastructure, such an attack could also undermine trust in digital health systems. The vulnerability's remote exploitability without user interaction means attackers could automate attacks at scale, increasing the threat level. European organizations must consider these risks in the context of stringent data protection laws and the criticality of healthcare services.

Immediate mitigation should focus on implementing input validation and parameterized queries or prepared statements to prevent SQL injection in the /view.php file, specifically sanitizing the 'bar_code' parameter. Organizations should conduct a thorough code review of all input handling related to database queries within the application. Until an official patch is released by CodeAstro, deploying web application firewalls (WAFs) with custom rules to detect and block SQL injection patterns targeting the 'bar_code' parameter can reduce exposure. Monitoring application logs for suspicious query patterns and unusual database activity is also recommended. Additionally, restricting database user permissions to the minimum necessary can limit the impact of a successful injection. Organizations should also consider isolating the affected system within the network and applying network segmentation to reduce lateral movement risks. Finally, maintaining regular backups of pharmacy data ensures recovery capability in case of data corruption or loss.