CVE-2025-7491 is a SQL Injection vulnerability identified in version 1.13 of the PHPGurukul Vehicle Parking Management System. The vulnerability exists in the /admin/manage-outgoingvehicle.php file, specifically through the manipulation of the 'del' parameter. This parameter is susceptible to injection of malicious SQL code, allowing an attacker to interfere with the queries executed by the backend database. The vulnerability can be exploited remotely without requiring user interaction or authentication, making it accessible to unauthenticated attackers over the network. The SQL Injection flaw could allow attackers to read, modify, or delete data within the database, potentially leading to unauthorized data disclosure, data corruption, or disruption of service. The CVSS 4.0 base score is 5.3 (medium severity), reflecting that while the attack vector is network-based and requires no user interaction, it does require low privileges (PR:L) and results in low impact on confidentiality, integrity, and availability. No known exploits are currently observed in the wild, and no patches have been publicly released yet. The vulnerability disclosure date is July 12, 2025.

For European organizations using PHPGurukul Vehicle Parking Management System version 1.13, this vulnerability poses a risk of unauthorized database access and manipulation. Given that parking management systems often store sensitive information such as vehicle registration details, user identities, timestamps, and possibly payment information, exploitation could lead to data breaches compromising personal data protected under GDPR. Additionally, attackers could disrupt parking operations, causing availability issues that impact business continuity and customer experience. The medium severity rating suggests that while the impact is not catastrophic, it is significant enough to warrant prompt attention. Organizations in sectors such as municipal services, private parking operators, and commercial facilities using this system could face operational disruptions and reputational damage. The remote and unauthenticated nature of the exploit increases the risk, especially if the system is exposed to the internet or poorly segmented within internal networks.

Immediate mitigation steps include restricting access to the /admin/manage-outgoingvehicle.php endpoint through network-level controls such as firewalls or VPNs to limit exposure to trusted administrators only. Implementing web application firewalls (WAFs) with rules to detect and block SQL injection attempts targeting the 'del' parameter can provide temporary protection. Organizations should conduct a thorough code review and apply input validation and parameterized queries or prepared statements to sanitize all user inputs, especially the 'del' parameter. Since no official patch is currently available, organizations should monitor vendor communications for updates and apply patches promptly once released. Additionally, auditing database logs for suspicious queries and monitoring for unusual activity can help detect exploitation attempts early. Segmentation of the parking management system from critical business networks and regular backups of the database will help mitigate potential damage from successful attacks.