CVE-2025-10846 is a medium-severity SQL Injection vulnerability identified in the Portabilis i-Educar platform, affecting all versions up to 2.10. The vulnerability resides in the /module/ComponenteCurricular/edit endpoint, where improper sanitization or validation of the 'ID' parameter allows an attacker to inject malicious SQL commands. This flaw enables remote exploitation without requiring user interaction or prior authentication, as indicated by the CVSS vector (AV:N/AC:L/AT:N/UI:N/PR:L). The vulnerability impacts confidentiality, integrity, and availability at a low level, as the CVSS vector indicates low impact on these aspects. The vulnerability is exploitable remotely, and while no known exploits are currently observed in the wild, the exploit has been publicly disclosed, increasing the risk of exploitation. The vulnerability's exploitation could allow attackers to manipulate database queries, potentially leading to unauthorized data access, data modification, or disruption of service within the affected i-Educar installations. Given that i-Educar is an education management system, exploitation could compromise sensitive student and institutional data or disrupt educational operations.

For European organizations, particularly educational institutions using Portabilis i-Educar, this vulnerability poses a risk of unauthorized access to sensitive educational data, including student records, grades, and administrative information. The SQL Injection could allow attackers to extract confidential data, alter records, or disrupt system availability, impacting the integrity and reliability of educational services. Such incidents could lead to regulatory non-compliance under GDPR due to data breaches, reputational damage, and operational downtime. The medium severity suggests that while the impact is not catastrophic, the risk is significant enough to warrant prompt attention, especially in environments where i-Educar is integrated with other critical systems or holds sensitive data.

Organizations should immediately audit their i-Educar installations to identify affected versions (2.0 through 2.10). Since no official patches are listed, it is critical to implement immediate compensating controls such as input validation and parameterized queries at the application or database level to prevent SQL Injection. Network-level protections like Web Application Firewalls (WAFs) should be configured to detect and block SQL Injection patterns targeting the /module/ComponenteCurricular/edit endpoint. Restricting database user privileges to the minimum necessary can limit the impact of a successful injection. Monitoring and logging access to this module should be enhanced to detect suspicious activity. Organizations should also engage with Portabilis for official patches or updates and plan for timely application once available. Additionally, conducting security awareness training for administrators on this vulnerability and its risks is recommended.