CVE-2025-10797 is a SQL Injection vulnerability identified in version 1.0 of the code-projects Hostel Management System, specifically within the /justines/index.php file. The vulnerability arises from improper sanitization or validation of the 'log_email' parameter, which is susceptible to malicious input that can manipulate backend SQL queries. This flaw allows an unauthenticated remote attacker to inject arbitrary SQL commands without requiring user interaction or privileges. Exploiting this vulnerability could enable attackers to access, modify, or delete sensitive data stored in the underlying database, potentially compromising the confidentiality, integrity, and availability of the system's data. The CVSS 4.0 base score is 6.9, indicating a medium severity level, with an attack vector of network (remote), low attack complexity, no privileges or user interaction needed, and limited impact on confidentiality, integrity, and availability. Although no public exploits are currently known in the wild, the vulnerability has been publicly disclosed, increasing the risk of exploitation. The lack of available patches or mitigation links suggests that affected organizations must implement alternative protective measures until an official fix is released.

For European organizations using the code-projects Hostel Management System version 1.0, this vulnerability poses a significant risk to the security of student or resident data, including personal identification and contact information. Exploitation could lead to unauthorized data disclosure, data tampering, or denial of service, disrupting hostel operations and potentially violating data protection regulations such as GDPR. The compromise of sensitive personal data could result in reputational damage, legal penalties, and financial losses. Furthermore, since the vulnerability can be exploited remotely without authentication, attackers could leverage it as an entry point for broader network infiltration or lateral movement within institutional IT environments. The medium severity rating indicates that while the impact is serious, the scope is somewhat limited to the affected application and its database, but the risk remains non-negligible for organizations relying on this system for critical administrative functions.

Given the absence of an official patch, European organizations should immediately implement input validation and sanitization controls on the 'log_email' parameter at the application or web server level to prevent malicious SQL payloads. Employing Web Application Firewalls (WAFs) with custom rules to detect and block SQL injection patterns targeting this parameter can provide effective interim protection. Organizations should also conduct thorough code reviews and consider applying virtual patching techniques. Restricting database user permissions to the minimum necessary can limit the potential damage from exploitation. Regular monitoring of application logs for suspicious query patterns and anomalous access attempts is essential to detect exploitation attempts early. Additionally, organizations should plan to upgrade or replace the vulnerable Hostel Management System with a secure version once available and ensure that all software components are kept up to date. Training IT staff on secure coding practices and incident response preparedness will further enhance resilience against such threats.