CVE-2025-10788 is a SQL Injection vulnerability identified in version 1.0 of the SourceCodester Online Hotel Reservation System. The vulnerability exists in the deleteroominventory.php file, specifically in an unknown function that processes the 'ID' argument. An attacker can manipulate this argument to inject malicious SQL code, which the system then executes on the backend database. This type of injection flaw allows an unauthenticated remote attacker to interfere with the queries made to the database, potentially leading to unauthorized data access, data modification, or deletion. The vulnerability requires no authentication or user interaction, and the attack vector is network accessible (remote). The CVSS 4.0 base score is 6.9, indicating a medium severity level, with low impact on confidentiality, integrity, and availability individually but combined impact is moderate. The exploit has been publicly disclosed, increasing the risk of exploitation, although no known exploits in the wild have been reported yet. The vulnerability stems from improper input validation and sanitization of the 'ID' parameter, which is a common cause of SQL injection issues. Since the affected product is a hotel reservation system, the backend database likely contains sensitive customer information, booking details, and possibly payment data, making the impact of exploitation significant in terms of data confidentiality and integrity.

For European organizations using the SourceCodester Online Hotel Reservation System version 1.0, this vulnerability poses a tangible risk of data breaches and service disruption. Exploitation could lead to unauthorized access to customer personal data, reservation details, and potentially payment information, which would violate GDPR regulations and result in severe legal and financial penalties. Additionally, attackers could manipulate or delete reservation data, causing operational disruptions and reputational damage. The remote and unauthenticated nature of the vulnerability increases the likelihood of exploitation, especially if the system is exposed to the internet without adequate protections. Given the hospitality sector's importance in Europe, particularly in countries with large tourism industries, the impact could extend to loss of customer trust and competitive disadvantage. Furthermore, attackers could leverage the vulnerability as a foothold for further network intrusion or lateral movement within the organization's infrastructure.

To mitigate this vulnerability, organizations should immediately apply any available patches or updates from the vendor. Since no patch links are currently provided, organizations should implement compensating controls such as input validation and parameterized queries or prepared statements to prevent SQL injection. Web application firewalls (WAFs) should be configured to detect and block SQL injection attempts targeting the 'ID' parameter in deleteroominventory.php. Network segmentation and restricting access to the reservation system to trusted IP addresses can reduce exposure. Regular security assessments and code reviews should be conducted to identify and remediate similar vulnerabilities. Additionally, monitoring database logs for suspicious queries and implementing intrusion detection systems can help detect exploitation attempts early. Organizations should also ensure that backups of reservation data are maintained securely to enable recovery in case of data tampering or deletion.