CVE-2025-65125 is a SQL injection vulnerability identified in the movie_details.php file of the gosaliajainam/online-movie-booking application, version 5.5. SQL injection vulnerabilities occur when user-supplied input is improperly sanitized and directly included in SQL queries, allowing attackers to manipulate the query logic. In this case, the vulnerability enables an attacker to craft malicious input that alters the SQL commands executed by the backend database. This can lead to unauthorized disclosure of sensitive information such as user credentials, booking details, or payment data. The vulnerability was reserved in November 2025 and published in January 2026, but no CVSS score or patches have been released yet. No known exploits are currently reported in the wild. The lack of patches and public exploits suggests the vulnerability might be newly discovered or under analysis. The affected software is an online movie booking system, which is typically used by entertainment companies or ticketing services to manage movie schedules and bookings. Exploitation requires sending specially crafted requests to the vulnerable movie_details.php endpoint, potentially without authentication depending on the application design. The absence of CWE identifiers limits detailed classification, but SQL injection is a well-known critical vulnerability class. The vulnerability impacts confidentiality primarily, with possible integrity and availability implications if attackers escalate their access. The threat is significant due to the sensitive nature of booking and user data handled by such applications.

For European organizations, this vulnerability poses a risk of unauthorized access to sensitive customer and transactional data, including personal information and payment details. Exploitation could lead to data breaches, regulatory non-compliance (e.g., GDPR violations), reputational damage, and financial losses. Organizations operating online ticketing or entertainment platforms using this software or similar vulnerable components are particularly at risk. The exposure of booking details could also facilitate fraud or identity theft. Additionally, attackers might leverage the vulnerability to pivot into internal networks or disrupt service availability. The lack of patches increases the window of exposure, and the absence of known exploits suggests a potential for zero-day exploitation. The impact is heightened in sectors with high customer volumes and frequent online transactions, common in European urban centers and entertainment hubs.

Organizations should immediately conduct an inventory to identify deployments of gosaliajainam/online-movie-booking version 5.5 or similar vulnerable versions. Since no official patches are available, developers must review and refactor the movie_details.php code to implement parameterized queries or prepared statements, eliminating direct concatenation of user input into SQL commands. Input validation and sanitization should be enforced rigorously on all user-supplied data. Employing web application firewalls (WAFs) with SQL injection detection rules can provide temporary protection. Regularly monitor database logs and application behavior for anomalous queries or access patterns indicative of exploitation attempts. Conduct penetration testing focused on SQL injection vectors to validate mitigations. Organizations should also prepare incident response plans for potential data breaches stemming from this vulnerability. Engaging with the software vendor or open-source community for updates and patches is recommended. Finally, ensure compliance with data protection regulations by securing sensitive data and maintaining audit trails.