CVE-2025-8987 is a SQL Injection vulnerability identified in SourceCodester COVID 19 Testing Management System version 1.0. The vulnerability exists in the /test-details.php file, specifically through the manipulation of the 'remark' parameter. An attacker can remotely exploit this flaw without any authentication or user interaction, by injecting malicious SQL code into the 'remark' argument. This leads to unauthorized access or modification of the backend database. The vulnerability has a CVSS 4.0 base score of 6.9, indicating a medium severity level. The attack vector is network-based (AV:N), with low attack complexity (AC:L), no privileges required (PR:N), and no user interaction needed (UI:N). The impact affects confidentiality, integrity, and availability to a limited extent (VC:L, VI:L, VA:L). The vulnerability scope is unchanged (S:U), and no security requirements are bypassed (SI:N, SA:N). Although no known exploits are currently active in the wild, the exploit details have been publicly disclosed, increasing the risk of exploitation. The vulnerability allows an attacker to execute arbitrary SQL commands, potentially leading to data leakage, data tampering, or denial of service by corrupting or deleting database records. Given the nature of the affected system—a COVID-19 testing management platform—compromise could result in exposure of sensitive health data, disruption of testing workflows, and loss of trust in public health infrastructure.

For European organizations, this vulnerability poses significant risks, especially for healthcare providers, laboratories, and public health agencies using the affected system. Unauthorized access to COVID-19 test results and patient data could violate GDPR regulations, leading to legal penalties and reputational damage. Data integrity issues could cause incorrect test reporting, impacting public health decisions and patient care. Availability disruptions could delay testing processes during critical periods of the pandemic response. The medium severity rating suggests moderate but tangible risks, particularly because the vulnerability can be exploited remotely without authentication. European entities relying on SourceCodester's COVID-19 Testing Management System 1.0 should consider this a priority issue due to the sensitive nature of the data and the critical role of testing systems in managing the pandemic.

Organizations should immediately assess their use of SourceCodester COVID 19 Testing Management System version 1.0 and plan for an upgrade or patch once available. In the absence of an official patch, implement web application firewalls (WAFs) with custom rules to detect and block SQL injection attempts targeting the 'remark' parameter in /test-details.php. Conduct thorough input validation and sanitization on all user-supplied data, especially parameters that interact with the database. Employ parameterized queries or prepared statements in the application code to prevent injection. Monitor logs for suspicious database queries or unusual application behavior. Restrict database user permissions to the minimum necessary to limit the impact of any successful injection. Additionally, ensure that backups of critical data are current and tested to enable recovery from potential data corruption or deletion. Finally, raise awareness among IT and security teams about this vulnerability and the importance of rapid response.