CVE-2025-10973 is a SQL Injection vulnerability identified in the JackieDYH Resume-management-system, specifically affecting the /admin/show.php file. The vulnerability arises from improper sanitization or validation of the 'userid' parameter, allowing an attacker to manipulate SQL queries executed by the backend database. This flaw enables remote attackers to inject arbitrary SQL code without requiring authentication or user interaction, potentially leading to unauthorized data access or modification. The product follows a rolling release model, complicating precise version tracking, but the vulnerability affects versions up to commit fb6b857d852dd796e748ce30c606fe5e61c18273. The vendor has not responded to disclosure attempts, and no official patch has been released. The CVSS v4.0 base score is 6.9 (medium severity), reflecting network attack vector, low complexity, no privileges or user interaction required, and limited impact on confidentiality, integrity, and availability. Although no known exploits are currently in the wild, the public disclosure of the exploit code increases the risk of exploitation.

For European organizations using the JackieDYH Resume-management-system, this vulnerability poses a significant risk to the confidentiality and integrity of sensitive personnel data. Exploitation could allow attackers to extract, modify, or delete resume and user information stored within the system, potentially leading to data breaches, identity theft, or disruption of HR operations. Given the administrative context of the vulnerable endpoint, attackers might gain elevated access to internal data. The lack of vendor response and patch availability increases exposure time. Organizations in sectors with strict data protection regulations, such as GDPR, face legal and reputational consequences if personal data is compromised. Additionally, the remote and unauthenticated nature of the attack vector means that attackers can exploit this vulnerability from anywhere, increasing the threat surface for European entities.

European organizations should immediately audit their use of the JackieDYH Resume-management-system to determine exposure. If the system is deployed, restrict access to the /admin/show.php endpoint through network segmentation, firewall rules, or VPN access to trusted administrators only. Implement Web Application Firewalls (WAFs) with custom rules to detect and block SQL injection patterns targeting the 'userid' parameter. Conduct thorough input validation and sanitization on all user-supplied data, especially parameters used in SQL queries. Where possible, migrate to parameterized queries or prepared statements to eliminate injection risks. Monitor logs for suspicious query patterns or repeated access attempts to the vulnerable endpoint. Given the absence of an official patch, consider isolating or temporarily disabling the vulnerable functionality until a fix is available or switching to alternative resume management solutions with better security track records. Engage with the vendor or community to track any forthcoming patches or mitigations.