CVE-2025-13578 identifies a SQL Injection vulnerability in the code-projects Library System version 1.0, specifically within the Login component's /index.php file. The vulnerability arises from improper sanitization of the Username parameter, allowing an attacker to inject malicious SQL code remotely without requiring authentication or user interaction. This flaw enables attackers to manipulate backend database queries, potentially leading to unauthorized data disclosure, modification, or deletion. The CVSS 4.0 base score of 6.9 reflects a medium severity, considering the vulnerability's network attack vector, low complexity, and no required privileges or user interaction. The impact on confidentiality, integrity, and availability is limited but non-negligible, as attackers can partially compromise these aspects. No patches or official fixes have been published yet, and no known exploits are currently active in the wild, but public disclosure increases the risk of exploitation attempts. The vulnerability affects only version 1.0 of the Library System, which is used primarily in library management contexts. The lack of authentication requirement and remote exploitability make this a significant concern for organizations relying on this software, especially those managing sensitive user or library data.

For European organizations, this vulnerability poses a risk of unauthorized access to sensitive library user data, including personal information and borrowing records. Attackers exploiting this flaw could alter or delete records, disrupt library operations, or gain footholds for further network intrusion. The impact is particularly critical for public libraries, educational institutions, and research centers that rely on the code-projects Library System for managing resources and user access. Data breaches could lead to privacy violations under GDPR, resulting in legal and financial repercussions. Additionally, service disruption could affect access to library resources, impacting educational and research activities. The medium severity rating suggests a moderate but tangible risk, especially if the vulnerable system is exposed to the internet without adequate network protections. Organizations lacking timely mitigation may face reputational damage and operational challenges.

Immediate mitigation should focus on implementing proper input validation and sanitization for the Username parameter in the Login component to prevent SQL injection. Developers should refactor the affected code to use parameterized queries or prepared statements to eliminate direct injection risks. Until an official patch is released, organizations should restrict external access to the vulnerable system by applying network-level controls such as firewalls or VPNs. Monitoring logs for unusual login attempts or SQL errors can help detect exploitation attempts early. Conducting a comprehensive audit of all inputs in the application for similar injection risks is advisable. Organizations should also prepare incident response plans specific to database compromise scenarios. If possible, upgrade to a patched or newer version of the software once available. Regular backups of the database should be maintained to enable recovery in case of data tampering. Finally, raising awareness among IT staff about this vulnerability will help ensure prompt action and vigilance.