CVE-2025-41002 is a critical SQL injection vulnerability identified in the Infoticketing product developed by MANANTIAL DE IDEAS, S.L. The vulnerability arises from improper neutralization of special elements in SQL commands (CWE-89) within the 'code' parameter of the '/components/cart/cartApplyDiscount.php' endpoint. This flaw allows an unauthenticated attacker to send crafted POST requests that can manipulate the backend database directly. The attacker can perform a wide range of malicious actions including retrieving sensitive data, creating new records, updating existing data, or deleting database entries, thereby compromising confidentiality, integrity, and availability. The vulnerability affects all versions of Infoticketing, indicating a systemic issue in input handling. The CVSS 4.0 base score is 9.3, reflecting its critical severity, with attack vector network (AV:N), no required privileges (PR:N), no user interaction (UI:N), and high impact on confidentiality, integrity, and availability. No patches or fixes have been published yet, and no known exploits have been reported in the wild, but the ease of exploitation and potential damage make this a high-priority threat. The vulnerability was reserved in April 2025 and published in February 2026 by INCIBE, a recognized cybersecurity entity. Given the nature of the product—ticketing software likely used by event organizers and service providers—successful exploitation could lead to data breaches, financial fraud, and operational disruptions.

The impact of CVE-2025-41002 is severe for organizations using Infoticketing. An attacker can gain unauthorized access to sensitive customer and transactional data, potentially leading to data breaches involving personal information and payment details. The ability to create, update, or delete database records can result in financial fraud, manipulation of ticketing data, and denial of service through data destruction or corruption. This can damage organizational reputation, cause regulatory compliance violations (e.g., GDPR), and result in financial losses. The vulnerability’s unauthenticated nature and lack of user interaction requirements increase the risk of automated mass exploitation. Organizations relying on Infoticketing for event management or ticket sales worldwide face operational disruptions, loss of customer trust, and potential legal liabilities. The absence of patches further exacerbates the risk, necessitating immediate defensive measures.

Given the lack of official patches, organizations should implement immediate compensating controls. Deploy a Web Application Firewall (WAF) with custom rules to detect and block SQL injection attempts targeting the 'code' parameter in '/components/cart/cartApplyDiscount.php'. Conduct thorough input validation and sanitization on all user-supplied data, especially the 'code' parameter, using parameterized queries or prepared statements to prevent injection. Monitor application logs and network traffic for unusual POST requests or database anomalies. Restrict database user permissions to the minimum necessary to limit the impact of potential exploitation. Consider isolating the Infoticketing system within segmented network zones to reduce exposure. Engage with the vendor for updates and patches, and plan for rapid deployment once available. Additionally, conduct security awareness training for developers and administrators about secure coding practices and vulnerability management.