CVE-2025-10801 is a SQL Injection vulnerability identified in SourceCodester Pet Grooming Management Software version 1.0. The vulnerability exists in the /admin/edit_tax.php file, specifically involving the manipulation of the 'ID' parameter. An attacker can remotely exploit this flaw by injecting malicious SQL code through the 'ID' argument without requiring any authentication or user interaction. This allows the attacker to interfere with the application's database queries, potentially leading to unauthorized data access, data modification, or deletion. The vulnerability has a CVSS 4.0 base score of 6.9, indicating a medium severity level. The attack vector is network-based with low attack complexity and no privileges or user interaction needed. The impact on confidentiality, integrity, and availability is limited but present, as the vulnerability allows partial control over database queries. No official patches or mitigations have been published yet, and no known exploits have been observed in the wild. However, the public disclosure of the vulnerability increases the risk of exploitation attempts.

For European organizations using SourceCodester Pet Grooming Management Software 1.0, this vulnerability poses a risk of unauthorized access to sensitive business data such as customer information, pricing, and tax configurations. Exploitation could lead to data breaches, manipulation of financial records, or disruption of business operations. Given the software's niche market in pet grooming management, the impact is likely confined to small and medium enterprises in this sector. However, compromised systems could be leveraged as entry points for broader network attacks. The remote and unauthenticated nature of the exploit increases the risk of automated scanning and exploitation attempts, potentially leading to reputational damage and regulatory compliance issues under GDPR if personal data is exposed.

European organizations should immediately audit their use of SourceCodester Pet Grooming Management Software version 1.0 and restrict access to the /admin/edit_tax.php endpoint through network-level controls such as firewalls or VPNs. Input validation and parameterized queries should be implemented to prevent SQL injection, though this requires vendor intervention. Until an official patch is released, organizations can deploy Web Application Firewalls (WAFs) with custom rules to detect and block SQL injection patterns targeting the 'ID' parameter. Regular monitoring of logs for suspicious activity related to this endpoint is advised. Additionally, organizations should consider isolating the application server from critical internal networks to limit potential lateral movement in case of compromise. Engaging with the vendor for patch timelines and applying updates promptly once available is critical.