CVE-2025-12237 is a SQL injection vulnerability identified in version 1.0 of the projectworlds Advanced Library Management System, specifically in the /index.php file. The vulnerability arises from improper sanitization of the 'keywords' parameter, which is used in SQL queries without adequate validation or parameterization. This allows remote attackers to inject arbitrary SQL commands by manipulating this parameter, potentially leading to unauthorized data access, modification, or deletion within the backend database. The attack vector is network-based with no authentication or user interaction required, making it accessible to any remote attacker who can reach the vulnerable endpoint. The CVSS 4.0 vector indicates low attack complexity and no privileges needed, but the impact on confidentiality, integrity, and availability is limited to partial compromise, suggesting some database protections or limited query scope. Although no exploits have been observed in the wild, a public exploit is available, increasing the likelihood of exploitation attempts. The vulnerability affects only version 1.0 of the software, and no official patches or updates have been released yet. This vulnerability is particularly concerning for organizations relying on this system to manage sensitive library data, including user records and borrowing histories. Attackers could leverage this flaw to extract sensitive information or disrupt library operations. Given the public availability of the exploit, timely mitigation is critical to prevent exploitation.

For European organizations, especially academic institutions, public libraries, and research centers using projectworlds Advanced Library Management System 1.0, this vulnerability poses a significant risk to the confidentiality and integrity of their data. Successful exploitation could lead to unauthorized disclosure of patron information, manipulation of library records, or disruption of library services, impacting operational continuity and user trust. The remote and unauthenticated nature of the attack increases exposure, particularly for systems accessible over the internet or poorly segmented internal networks. Data breaches could have regulatory implications under GDPR, potentially resulting in fines and reputational damage. Additionally, attackers might use the compromised system as a foothold for lateral movement within organizational networks. The medium severity rating reflects that while the vulnerability is exploitable, its impact is somewhat contained, but the presence of a public exploit elevates the urgency for mitigation.

Organizations should immediately implement input validation and sanitization for the 'keywords' parameter in /index.php, ideally replacing dynamic SQL queries with parameterized prepared statements to prevent injection. Network-level controls should restrict access to the vulnerable endpoint, limiting exposure to trusted IP ranges or internal networks only. Monitoring and logging of SQL query anomalies and unusual database activity should be enhanced to detect exploitation attempts early. In absence of an official patch, consider deploying web application firewalls (WAFs) with custom rules to block malicious SQL injection payloads targeting this parameter. Conduct a thorough audit of all instances of the Advanced Library Management System to identify and isolate vulnerable versions. Educate IT staff about the vulnerability and the availability of public exploits to increase vigilance. Plan for an upgrade or patch deployment once the vendor releases a fix. Finally, review and reinforce database user permissions to minimize potential damage from successful exploitation.