CVE-2025-13578 identifies a SQL injection vulnerability in the code-projects Library System version 1.0, affecting the Login component's /index.php file. The vulnerability is triggered by manipulation of the Username parameter, which is not properly sanitized before being used in SQL queries. This flaw allows remote attackers to inject arbitrary SQL commands without any authentication or user interaction, potentially enabling unauthorized data access, data modification, or database compromise. The vulnerability is classified under CVSS 4.0 with a score of 6.9, indicating a medium severity level. The attack vector is network-based (AV:N), with low attack complexity (AC:L), no privileges required (PR:N), and no user interaction needed (UI:N). The impact on confidentiality, integrity, and availability is low to medium (VC:L, VI:L, VA:L), and the scope is unchanged (S:U). Although no known exploits have been observed in the wild, the public disclosure increases the risk of exploitation by threat actors. The vulnerability affects only version 1.0 of the Library System, and no official patches or mitigation links have been provided yet. Organizations using this software should conduct immediate security assessments and implement compensating controls to mitigate risk.

The SQL injection vulnerability allows attackers to execute arbitrary SQL commands on the backend database, potentially leading to unauthorized disclosure of sensitive information, data tampering, or deletion. This can compromise the confidentiality, integrity, and availability of the library system's data, including user credentials, book inventories, and transaction records. Exploitation could facilitate further attacks such as privilege escalation or lateral movement within the network. For organizations relying on this software, a successful attack could result in data breaches, operational disruptions, reputational damage, and regulatory penalties. Since the vulnerability requires no authentication or user interaction and can be exploited remotely, the attack surface is broad. The absence of known exploits in the wild currently limits immediate widespread impact, but the public disclosure increases the likelihood of future exploitation attempts.

1. Immediate mitigation should include implementing input validation and sanitization on the Username parameter to prevent injection of malicious SQL code. 2. Employ parameterized queries or prepared statements in the Login component to eliminate direct concatenation of user input into SQL commands. 3. Restrict database user permissions to the minimum necessary to limit the impact of any successful injection. 4. Monitor web application logs for unusual or suspicious SQL query patterns indicative of injection attempts. 5. If possible, deploy a Web Application Firewall (WAF) with rules designed to detect and block SQL injection payloads targeting the affected endpoint. 6. Engage with the vendor or community to obtain official patches or updates addressing this vulnerability. 7. Conduct a comprehensive security audit of the entire application to identify and remediate similar injection flaws. 8. Educate developers on secure coding practices to prevent recurrence of such vulnerabilities. 9. Consider isolating or segmenting the affected system within the network to reduce potential lateral movement in case of compromise.