CVE-2025-10973 is a SQL Injection vulnerability identified in the JackieDYH Resume-management-system, specifically affecting the /admin/show.php file. The vulnerability arises from improper sanitization or validation of the 'userid' parameter, which can be manipulated remotely by an unauthenticated attacker to inject malicious SQL queries. This flaw allows attackers to interfere with the backend database queries, potentially leading to unauthorized data access, data modification, or even complete compromise of the database. The product follows a rolling release model, which complicates pinpointing exact affected versions beyond the commit hash fb6b857d852dd796e748ce30c606fe5e61c18273. The vendor has not responded to disclosure attempts, and no patches or fixes have been published yet. Although no known exploits are currently active in the wild, the exploit code has been published, increasing the risk of exploitation. The CVSS 4.0 score is 6.9 (medium severity), reflecting the network attack vector, no required privileges or user interaction, and partial impact on confidentiality, integrity, and availability. The vulnerability does not affect system components beyond the database interaction layer but can lead to significant data breaches or service disruptions if exploited.

For European organizations using the JackieDYH Resume-management-system, this vulnerability poses a significant risk to the confidentiality and integrity of sensitive personal and professional data stored within the system. Exploitation could lead to unauthorized disclosure of resumes, personal identifiers, and other HR-related information, potentially violating GDPR and other data protection regulations. The integrity of stored data could also be compromised, affecting recruitment decisions and organizational trust. Availability impact is limited but possible if attackers execute destructive SQL commands. Given the lack of vendor response and patches, organizations face prolonged exposure. The risk is heightened for companies relying heavily on this system for talent acquisition and management, especially those with large volumes of personal data. Additionally, the public availability of exploit code increases the likelihood of opportunistic attacks, including by cybercriminals targeting European entities for identity theft or corporate espionage.

Organizations should immediately audit their use of the JackieDYH Resume-management-system and identify any instances of the affected software. In the absence of official patches, implement web application firewall (WAF) rules specifically designed to detect and block SQL injection attempts targeting the 'userid' parameter in /admin/show.php. Employ input validation and parameterized queries or prepared statements if custom modifications are possible. Restrict access to the /admin directory via IP whitelisting or VPN-only access to reduce exposure. Monitor logs for unusual database query patterns or failed login attempts. Consider isolating the resume management system in a segmented network zone to limit lateral movement. Engage in proactive threat hunting for signs of exploitation. Finally, maintain regular backups of the database to enable recovery in case of data corruption or deletion.