CVE-2025-10798 is a SQL Injection vulnerability identified in version 1.0 of the code-projects Hostel Management System, specifically within the file /justines/admin/mod_roomtype/index.php at the parameter 'ID' when accessed with the 'view=view' argument. This vulnerability allows an unauthenticated remote attacker to manipulate the 'ID' parameter to inject arbitrary SQL commands into the backend database query. The injection flaw arises from insufficient input validation or improper sanitization of user-supplied input before it is incorporated into SQL statements. Exploiting this vulnerability could enable attackers to read, modify, or delete sensitive data stored in the database, potentially compromising the confidentiality and integrity of hostel management records. The vulnerability has a CVSS 4.0 base score of 6.9, indicating a medium severity level, with characteristics including network attack vector, low attack complexity, no privileges or user interaction required, and partial impact on confidentiality, integrity, and availability. Although no public exploits are currently known in the wild, proof-of-concept code is publicly available, increasing the risk of exploitation. The vulnerability affects only version 1.0 of the product, and no official patches or updates have been published yet. The lack of authentication requirements and remote exploitability make this vulnerability particularly concerning for deployments exposed to untrusted networks or the internet.

For European organizations using the code-projects Hostel Management System version 1.0, this vulnerability poses a significant risk to the confidentiality and integrity of sensitive data such as personal information of residents, booking details, and financial records. Successful exploitation could lead to unauthorized data disclosure, data tampering, or even denial of service if the database is corrupted or manipulated. This could result in regulatory non-compliance, especially under GDPR, leading to legal penalties and reputational damage. Educational institutions, student housing providers, and hospitality businesses in Europe relying on this system could face operational disruptions and loss of trust from their users. The remote and unauthenticated nature of the attack vector increases the likelihood of exploitation, especially if the system is accessible over the internet without adequate network protections. Given the public availability of exploit code, attackers with moderate skills could leverage this vulnerability to compromise affected systems.

European organizations should immediately assess their exposure to the vulnerable Hostel Management System version 1.0. As no official patches are currently available, organizations should implement the following mitigations: 1) Restrict network access to the affected application, limiting it to trusted internal networks or VPNs to reduce exposure to remote attackers. 2) Employ web application firewalls (WAFs) with custom rules to detect and block SQL injection attempts targeting the 'ID' parameter in the affected URL path. 3) Conduct thorough input validation and sanitization on all user inputs, especially the 'ID' parameter, using parameterized queries or prepared statements if source code access is possible. 4) Monitor application and database logs for suspicious activities indicative of SQL injection attempts. 5) Plan and prioritize upgrading or replacing the vulnerable Hostel Management System with a patched or more secure version as soon as it becomes available. 6) Educate administrators and users about the risks and signs of exploitation to improve incident detection and response.