CVE-2025-48743 is a medium-severity SQL Injection vulnerability affecting SIGB PMB versions prior to 8.0.1.2. The vulnerability arises from improper neutralization of special elements used in SQL commands (CWE-89), allowing an unauthenticated remote attacker to inject malicious SQL code via network access without requiring user interaction. The CVSS 3.1 base score is 5.3, reflecting a network attack vector with low complexity and no privileges or user interaction needed. Exploitation could lead to unauthorized disclosure of limited data (confidentiality impact is low), but does not affect integrity or availability. The vulnerability is present in the SIGB PMB product, a library management system used by libraries and educational institutions to manage bibliographic data and user transactions. No known exploits are currently reported in the wild, and no official patches or mitigations have been published yet. The vulnerability was reserved and published in May 2025, indicating recent discovery. The lack of authentication requirement and network accessibility make this vulnerability a potential risk for organizations running vulnerable versions of SIGB PMB, especially those exposing the application to external networks or insufficiently segmented internal networks. Attackers could craft malicious SQL queries to extract sensitive bibliographic or user data from the backend database, potentially leading to privacy violations or data leakage. However, the limited impact on integrity and availability reduces the risk of destructive attacks such as data tampering or service disruption.

For European organizations, particularly libraries, universities, and research institutions using SIGB PMB, this vulnerability poses a risk of unauthorized data disclosure. Given the nature of the product, leaked data could include patron information, borrowing records, or bibliographic metadata, which may contain personally identifiable information (PII) subject to GDPR protections. Data leakage could lead to privacy breaches and regulatory penalties under GDPR. Although the vulnerability does not enable data modification or denial of service, the confidentiality impact alone is significant for institutions handling sensitive user data. The risk is heightened if the SIGB PMB instance is accessible from external networks or poorly segmented internal networks. European organizations with limited cybersecurity resources or delayed patch management processes may be particularly vulnerable. The absence of known exploits in the wild provides a window for proactive mitigation before active attacks emerge.

1. Upgrade SIGB PMB to version 8.0.1.2 or later as soon as the patch becomes available to address the SQL injection vulnerability. 2. Until patching is possible, restrict network access to the SIGB PMB application by implementing strict firewall rules limiting access to trusted internal IP addresses only. 3. Employ web application firewalls (WAFs) with SQL injection detection and prevention capabilities to monitor and block suspicious SQL payloads targeting the application. 4. Conduct code reviews and input validation audits on any custom integrations or extensions interfacing with SIGB PMB to ensure no additional injection vectors exist. 5. Monitor application logs for unusual query patterns or error messages indicative of attempted SQL injection attacks. 6. Educate IT and security staff about the vulnerability and the importance of timely patching and network segmentation. 7. Implement database user permissions with least privilege to limit the impact of any successful injection attempts, ensuring the database user used by SIGB PMB has read-only access where feasible.