CVE-2025-13585 is a SQL injection vulnerability identified in the code-projects COVID Tracking System version 1.0, affecting the /login.php endpoint through the 'code' parameter. SQL injection occurs when untrusted input is improperly sanitized and directly included in SQL queries, allowing attackers to manipulate backend database commands. In this case, an attacker can remotely send crafted input to the 'code' parameter without requiring authentication or user interaction, exploiting the vulnerability to execute arbitrary SQL commands. This can lead to unauthorized data retrieval, modification, or deletion, potentially compromising sensitive health data managed by the COVID Tracking System. The vulnerability has a CVSS 4.0 base score of 6.9, reflecting a medium severity level due to its remote exploitability and impact on confidentiality, integrity, and availability, albeit with limited scope. No patches or fixes have been published yet, and while no known exploits are active in the wild, the public availability of exploit code increases the risk of attacks. The COVID Tracking System is likely deployed in healthcare or governmental environments, making the vulnerability particularly concerning for data privacy and operational continuity. The lack of authentication or user interaction requirements lowers the barrier for exploitation, emphasizing the need for urgent remediation.

For European organizations, exploitation of this SQL injection vulnerability could lead to unauthorized access to sensitive personal health information collected by COVID tracking applications, violating GDPR and other data protection regulations. Data integrity could be compromised, resulting in inaccurate tracking data that may affect public health decisions. Availability of the system could also be impacted if attackers execute destructive SQL commands, causing service disruptions. Healthcare providers, government agencies, and third-party service providers using this system are at risk of reputational damage, regulatory penalties, and operational setbacks. The medium severity score indicates a moderate but tangible risk, especially given the critical nature of pandemic-related data. The public availability of exploit code increases the likelihood of opportunistic attacks, particularly targeting less-secured deployments. Organizations relying on this system must consider the potential cascading effects on public health monitoring and response capabilities.

Organizations should immediately audit their COVID Tracking System installations to identify vulnerable versions (1.0). Implement strict input validation and sanitization on the 'code' parameter in /login.php, preferably using parameterized queries or prepared statements to prevent SQL injection. If possible, apply any vendor-released patches or updates as soon as they become available. Restrict access to the login endpoint through network controls such as IP whitelisting or VPNs to reduce exposure. Employ web application firewalls (WAFs) with SQL injection detection rules to provide an additional layer of defense. Conduct thorough security testing, including dynamic application security testing (DAST), to identify and remediate injection flaws. Monitor logs for suspicious activities targeting the vulnerable parameter. Educate developers and administrators on secure coding practices to prevent similar vulnerabilities in future releases. Finally, ensure compliance with data protection regulations by implementing incident response plans in case of data breaches.