CVE-2025-10826 is a medium-severity SQL Injection vulnerability identified in version 1.0 of the Campcodes Online Beauty Parlor Management System. The flaw exists in the /admin/sales-reports-detail.php file, specifically in the handling of the 'fromdate' and 'todate' parameters. These parameters are used to filter sales reports by date, but due to insufficient input validation or sanitization, an attacker can inject malicious SQL code. This vulnerability can be exploited remotely without requiring user interaction or authentication, as indicated by the CVSS vector (AV:N/AC:L/AT:N/UI:N/PR:L). The attack complexity is low, and the vulnerability affects confidentiality, integrity, and availability to a limited extent (VC:L/VI:L/VA:L). Although the exploit has been publicly released, there are no confirmed reports of active exploitation in the wild. The vulnerability allows an attacker to manipulate database queries, potentially leading to unauthorized data access, data modification, or denial of service by corrupting or deleting data. The scope is limited to the affected version 1.0 of the product, and no patch or mitigation has been officially published yet.

For European organizations using the Campcodes Online Beauty Parlor Management System version 1.0, this vulnerability poses a risk of unauthorized access to sensitive business data such as sales reports and customer information. Exploitation could lead to data breaches, loss of data integrity, and disruption of business operations. Given the nature of the product, which is likely used by small to medium-sized beauty salons and related businesses, the impact could include financial loss, reputational damage, and regulatory compliance issues under GDPR if personal data is exposed. The remote exploitability without authentication increases the risk profile, especially for organizations with internet-facing administrative interfaces. The medium severity rating suggests that while the vulnerability is serious, it may not lead to full system compromise but still requires prompt attention to prevent potential exploitation.

Organizations should immediately review and restrict access to the /admin/sales-reports-detail.php endpoint, ideally limiting it to trusted internal networks or VPN access. Input validation and parameter sanitization should be implemented to prevent SQL injection, including the use of prepared statements or parameterized queries in the affected code. Since no official patch is currently available, applying Web Application Firewall (WAF) rules to detect and block SQL injection attempts targeting the 'fromdate' and 'todate' parameters is recommended. Regular monitoring of logs for suspicious activity related to these parameters should be established. Additionally, organizations should consider upgrading to a newer, patched version of the software once available or contacting the vendor for guidance. Backup procedures should be verified to ensure data recovery in case of an attack.