CVE-2025-12939 identifies a SQL injection vulnerability in the SourceCodester Interview Management System version 1.0, specifically in the /addCandidate.php script. The vulnerability arises from improper sanitization of the candName parameter, allowing an attacker to inject arbitrary SQL code remotely without authentication or user interaction. This can lead to unauthorized access, data leakage, data modification, or even full compromise of the underlying database. The CVSS 4.0 vector indicates network attack vector (AV:N), low attack complexity (AC:L), no privileges required (PR:L - low privileges needed), no user interaction (UI:N), and low impact on confidentiality, integrity, and availability (VC:L, VI:L, VA:L). Although the impact is rated low on CIA components, the ability to execute SQL injection remotely without user interaction makes it a significant risk. No official patches have been released yet, and while no exploits are confirmed in the wild, public exploit code availability increases the likelihood of exploitation. The vulnerability affects only version 1.0 of the product, which is used for managing interview and candidate data, making it a critical component in HR workflows. Attackers exploiting this flaw could extract sensitive candidate information, alter records, or disrupt recruitment operations.

For European organizations, this vulnerability poses risks to the confidentiality and integrity of candidate and recruitment data, potentially leading to data breaches involving personal identifiable information (PII). Disruption of recruitment processes could affect business operations and compliance with data protection regulations such as GDPR. Organizations relying on SourceCodester Interview Management System may face reputational damage and legal consequences if sensitive data is exposed. The remote, unauthenticated nature of the attack increases the threat level, especially for organizations with internet-facing instances of the application. The medium CVSS score reflects moderate impact, but the presence of public exploit code elevates the urgency. Additionally, attackers could leverage this vulnerability as a foothold for further network compromise, especially if database credentials have elevated privileges.

Immediate mitigation steps include implementing strict input validation and sanitization on the candName parameter to prevent injection of malicious SQL commands. Refactoring the code to use parameterized queries or prepared statements is critical to eliminate SQL injection risks. Restrict database user privileges to the minimum necessary to limit the impact of potential exploitation. Network-level protections such as web application firewalls (WAFs) can help detect and block SQL injection attempts. Organizations should monitor logs for suspicious activity related to /addCandidate.php and the candName parameter. Since no official patch is currently available, consider isolating or restricting access to the affected system until a vendor patch or update is released. Conduct security audits and penetration tests focusing on input validation and database interactions. Finally, ensure backups of candidate data are current and secure to enable recovery in case of data corruption or loss.