CVE-2025-14536 is a SQL injection vulnerability identified in version 1.0 of the code-projects Class and Exam Timetable Management application, specifically within the Login component's /index.php file. The vulnerability arises from improper sanitization of the username and password input parameters, which are directly used in SQL queries without adequate validation or parameterization. This flaw allows remote attackers to inject arbitrary SQL commands, potentially enabling unauthorized data access, modification, or deletion within the backend database. The vulnerability requires no authentication or user interaction, making it highly accessible to attackers. The CVSS 4.0 base score is 6.9 (medium severity), reflecting the network attack vector, low complexity, and no privileges or user interaction needed, but limited impact on confidentiality, integrity, and availability. Although no active exploitation has been reported, a public exploit exists, increasing the likelihood of attacks. The affected software is primarily used in educational environments to manage class and exam schedules, making sensitive student and institutional data at risk. The lack of vendor patches or official remediation guidance necessitates immediate defensive measures by users. The vulnerability's exploitation could lead to data leakage, unauthorized administrative access, or disruption of scheduling services, impacting operational continuity and privacy compliance.

For European organizations, especially educational institutions using code-projects Class and Exam Timetable Management 1.0, this vulnerability poses significant risks. Exploitation could lead to unauthorized disclosure of sensitive student and staff information, violating GDPR and other data protection regulations, resulting in legal and financial penalties. Integrity of scheduling data could be compromised, causing operational disruptions such as exam rescheduling or class cancellations. Availability impacts, while limited, could affect service continuity if attackers manipulate or delete critical timetable data. The remote, unauthenticated nature of the attack increases the threat surface, potentially allowing widespread exploitation across multiple institutions. Additionally, reputational damage from data breaches could undermine trust in affected organizations. The medium severity rating suggests moderate but tangible risks that require timely attention to prevent escalation or chaining with other vulnerabilities.

To mitigate CVE-2025-14536, organizations should immediately implement input validation and sanitization for the username and password parameters in the /index.php Login component. Employing prepared statements or parameterized queries is critical to prevent SQL injection. If source code modification is not feasible, deploying Web Application Firewalls (WAFs) with SQL injection detection rules can provide a temporary protective layer. Restricting network access to the affected application to trusted IP ranges and enforcing strict authentication controls can reduce exposure. Regularly monitoring logs for suspicious login attempts or unusual query patterns is advised. Organizations should also engage with the vendor or community for patches or updates and plan for software upgrades. Conducting security audits and penetration testing focused on injection flaws will help identify residual risks. Finally, ensure backups of critical data are maintained to enable recovery in case of data tampering or loss.