CVE-2025-10799 is a SQL Injection vulnerability identified in version 1.0 of the code-projects Hostel Management System. The flaw exists in an unspecified function within the file /justines/admin/mod_reservation/index.php, specifically when handling the 'ID' parameter in the 'view=view' query string. By manipulating this parameter, an attacker can inject malicious SQL code, potentially allowing unauthorized access to or modification of the backend database. The vulnerability is remotely exploitable without requiring authentication or user interaction, increasing the risk of automated exploitation. The CVSS 4.0 base score is 6.9, indicating a medium severity level, with the vector highlighting network attack vector, low attack complexity, no privileges or user interaction needed, and low impact on confidentiality, integrity, and availability. Although no public exploit is currently known to be actively used in the wild, the exploit code has been publicly released, raising the likelihood of future exploitation. The vulnerability stems from insufficient input validation or parameterized query usage in the affected PHP script, a common issue in web applications that directly incorporate user input into SQL queries. Given the nature of the Hostel Management System, which likely stores sensitive data such as guest information, booking details, and possibly payment data, exploitation could lead to data leakage, unauthorized data modification, or disruption of service.

For European organizations using the affected Hostel Management System version 1.0, this vulnerability poses a significant risk to the confidentiality and integrity of their data. Compromise could lead to unauthorized disclosure of personal guest information, violating GDPR and other data protection regulations, resulting in legal and financial penalties. Data tampering could disrupt reservation processes, causing operational downtime and reputational damage. Since the vulnerability is remotely exploitable without authentication, attackers could leverage it to gain persistent access or pivot within the network. This threat is particularly critical for hospitality businesses in Europe that rely on this software for daily operations, as exploitation could impact customer trust and business continuity. Additionally, given the public availability of exploit code, the window for exploitation is widened, increasing urgency for mitigation.

To mitigate this vulnerability, organizations should immediately upgrade to a patched version of the Hostel Management System once available from the vendor. In the absence of an official patch, applying web application firewall (WAF) rules to detect and block SQL injection patterns targeting the 'ID' parameter in the affected URL path is recommended. Conduct a thorough code review of the affected PHP file to implement parameterized queries or prepared statements, ensuring all user inputs are properly sanitized and validated. Restrict direct internet access to the admin interface by implementing network segmentation and access controls, limiting exposure to trusted IP addresses only. Regularly monitor logs for suspicious query patterns or repeated access attempts to the vulnerable endpoint. Additionally, perform database activity monitoring to detect anomalous queries indicative of exploitation attempts. Finally, ensure backups are current and tested to enable recovery in case of data compromise.