CVE-2025-14646 identifies a SQL injection vulnerability in the Student File Management System version 1.0 developed by code-projects. The vulnerability is located in the /admin/delete_student.php script, specifically in the handling of the stud_id parameter. Due to insufficient input validation or sanitization, an attacker can inject arbitrary SQL commands remotely without requiring authentication or user interaction. This allows the attacker to manipulate the backend database, potentially enabling unauthorized data retrieval, modification, or deletion. The vulnerability does not require special privileges, making it accessible to unauthenticated remote attackers. The CVSS 4.0 vector (AV:N/AC:L/AT:N/PR:N/UI:N/VC:L/VI:L/VA:L/SC:N/SI:N/SA:N/E:P) indicates network attack vector, low attack complexity, no privileges or user interaction needed, and partial impact on confidentiality, integrity, and availability. Although no exploits are currently observed in the wild, the public release of exploit code increases the likelihood of exploitation attempts. The affected product is primarily used in educational environments to manage student records, making the confidentiality and integrity of sensitive student data a concern. The vulnerability’s exploitation could lead to unauthorized disclosure of personal data, data tampering, or denial of service by deleting or corrupting records. The lack of available patches necessitates immediate mitigation through secure coding practices and access controls.

For European organizations, particularly educational institutions using the Student File Management System, this vulnerability poses a significant risk to the confidentiality and integrity of student data. Unauthorized SQL injection attacks could lead to exposure of personally identifiable information (PII), academic records, and other sensitive data, violating GDPR and other privacy regulations. Data integrity could be compromised by unauthorized deletion or modification of student records, disrupting academic operations and trust. Availability could also be affected if attackers delete critical data or cause database errors, impacting administrative functions. The medium severity rating reflects moderate impact, but the ease of exploitation without authentication increases urgency. European institutions may face reputational damage, regulatory penalties, and operational disruptions if exploited. The risk is amplified in countries with high digital adoption in education and limited cybersecurity resources.

1. Immediately implement input validation and sanitization on the stud_id parameter to prevent injection of malicious SQL code. 2. Refactor the vulnerable code to use parameterized queries or prepared statements, eliminating direct concatenation of user input in SQL commands. 3. Restrict access to /admin/delete_student.php and other administrative endpoints via network segmentation, VPN, or IP whitelisting to limit exposure. 4. Monitor web server and database logs for unusual queries or access patterns indicative of SQL injection attempts. 5. Conduct a comprehensive security review of the entire Student File Management System codebase to identify and remediate similar injection flaws. 6. Educate system administrators and developers on secure coding practices and the importance of input validation. 7. If patching is not immediately available, consider deploying Web Application Firewalls (WAFs) with rules to detect and block SQL injection payloads targeting stud_id. 8. Regularly back up student data and verify backup integrity to enable recovery in case of data tampering or deletion.