CVE-2025-14223 identifies a SQL injection vulnerability in version 1.0 of the Simple Leave Manager software developed by code-projects. The vulnerability resides in the /request.php script, specifically in the handling of the staff_id parameter. Due to insufficient input validation or sanitization, an attacker can craft malicious input that alters the intended SQL query logic, enabling unauthorized database queries. This can lead to unauthorized data retrieval, modification, or deletion within the application's database. The vulnerability is remotely exploitable without requiring authentication or user interaction, increasing its risk profile. The CVSS 4.0 base score is 6.9, reflecting medium severity with network attack vector, low complexity, and no privileges or user interaction needed. The impact on confidentiality, integrity, and availability is limited but non-negligible, as indicated by the CVSS vector components (VC:L, VI:L, VA:L). No patches or fixes have been publicly released yet, and no known exploits are currently observed in the wild. The disclosure date is December 8, 2025, indicating a recent discovery. The affected product is a specialized leave management system likely deployed in HR environments to manage employee leave requests and records. Exploitation could expose sensitive employee data or disrupt leave management operations.

For European organizations, the impact of this vulnerability can be significant, especially for those handling sensitive employee data subject to GDPR and other privacy regulations. Unauthorized access or manipulation of leave records could lead to data breaches, exposing personally identifiable information (PII) and potentially resulting in regulatory fines and reputational damage. Operationally, exploitation could disrupt HR processes, affecting workforce management and payroll accuracy. The medium severity suggests that while the vulnerability does not allow full system compromise, it still poses a tangible risk to data confidentiality and integrity. Organizations using Simple Leave Manager version 1.0 must consider the risk of targeted attacks, particularly from insiders or external threat actors aiming to access or alter HR data. The lack of authentication requirement lowers the barrier for attackers, increasing the likelihood of exploitation if the software is internet-facing or accessible within internal networks. Given the public disclosure, the risk of exploit development and subsequent attacks will likely increase over time.

1. Immediately audit all instances of Simple Leave Manager version 1.0 to identify affected systems. 2. Implement strict input validation and sanitization on the staff_id parameter in /request.php, preferably using parameterized queries or prepared statements to prevent SQL injection. 3. If available, apply vendor patches or updates addressing this vulnerability as soon as they are released. 4. Restrict network access to the application, limiting exposure to trusted internal networks or VPNs to reduce remote exploitation risk. 5. Monitor application logs for suspicious queries or unusual activity targeting the staff_id parameter. 6. Conduct security testing, including automated and manual penetration tests, focusing on SQL injection vectors. 7. Educate HR and IT staff about the vulnerability and the importance of timely patching and access controls. 8. Consider deploying Web Application Firewalls (WAFs) with rules to detect and block SQL injection attempts targeting this endpoint. 9. Review and enhance database user permissions to minimize the impact of any successful injection, following the principle of least privilege. 10. Prepare an incident response plan to quickly address any detected exploitation attempts.