CVE-2025-12326 identifies a SQL injection vulnerability in the shawon100 RUET OJ online judge system, specifically in the /process.php component that handles POST requests. The vulnerability arises from improper sanitization of the 'un' parameter, which an attacker can manipulate to inject malicious SQL code. This flaw can be exploited remotely without requiring authentication or user interaction, increasing its risk profile. The vulnerability affects the product version identified by commit hash 18fa45b0a669fa1098a0b8fc629cf6856369d9a5, but due to the absence of formal versioning, it is unclear which other versions might be impacted. The vendor has not provided any patches or updates, and public exploit code exists, although no active exploitation has been confirmed. The CVSS 4.0 score of 6.9 reflects a medium severity, considering the ease of exploitation and potential impact on confidentiality, integrity, and availability, albeit with limited scope and no privilege escalation. The lack of vendor response and patch availability increases the urgency for affected users to implement compensating controls. This vulnerability primarily threatens the backend database, potentially allowing attackers to extract sensitive data, modify records, or disrupt service availability. Given the nature of the RUET OJ platform as an educational or competitive programming tool, compromised systems could lead to data breaches or manipulation of contest results.

For European organizations, the impact of CVE-2025-12326 depends on the extent of RUET OJ deployment. Institutions using this platform for programming contests or educational purposes could face unauthorized data disclosure, including user credentials or contest data, undermining confidentiality. Integrity could be compromised by altering stored data or contest outcomes, damaging trust and fairness. Availability risks include potential denial-of-service conditions if attackers exploit the injection to corrupt database operations. The lack of authentication requirement and remote exploitability increase the threat level, especially for publicly accessible installations. Although no widespread exploitation is reported, the presence of public exploit code raises the risk of opportunistic attacks. European academic institutions or organizations with open-access RUET OJ instances are particularly vulnerable. The impact could extend to reputational damage and regulatory consequences under GDPR if personal data is exposed. The medium severity rating suggests moderate but actionable risk, necessitating prompt mitigation to prevent escalation.

Given the absence of official patches, European organizations should implement immediate compensating controls. First, apply strict input validation and sanitization on the 'un' parameter and all user inputs to prevent injection. Employ parameterized queries or prepared statements in the application code to eliminate direct SQL concatenation. Deploy Web Application Firewalls (WAFs) with rules targeting SQL injection patterns, specifically monitoring POST requests to /process.php. Conduct thorough code reviews and security testing to identify and remediate similar vulnerabilities. Restrict access to the RUET OJ platform to trusted networks or authenticated users where feasible to reduce exposure. Monitor logs for unusual database queries or errors indicative of injection attempts. Consider isolating the database with minimal privileges to limit damage scope. Engage with the vendor or community to encourage patch development or consider migrating to alternative, actively maintained platforms. Finally, maintain regular backups and incident response plans to recover from potential compromises.