CVE Alert: CVE-2025-10078 – SourceCodester – Online Polling System

Risk verdict

High risk: unauthenticated remote SQL injection with a public PoC available; immediate attention advised.

Why this matters

Attackers can read or modify data and potentially exfiltrate information without user interaction. The exposed vector targets backend data and could erode trust in the polling system, with-business impact across data confidentiality and integrity.

Most likely attack path

An external attacker sends crafted input in the ID parameter to the vulnerable endpoint, triggering SQL injection. No credentials or UI interaction are required, and the attacker can enumerate or alter data from the database, with potential secondary access if the DB is shared with other modules.

Who is most exposed

deployments of the SourceCodester Online Polling System 1.0 that expose the admin interface to the internet are particularly at risk, especially those on shared hosting or small business environments lacking network segmentation.

Detection ideas

• Anomalous requests to the vulnerable endpoint containing SQLi-like payloads in the ID field
• DB error messages or abnormal response patterns visible in application logs or user responses
• Spikes of 500/500-level errors or timeouts from the affected URL
• WAF alerts for SQLi signatures or unusualUS patterns targeting the parameter
• Elevated DB query latency or volume during burst activity

Mitigation and prioritisation

• Apply vendor patch or upgrade to a fixed release immediately; verify in staging before production
• If patching is delayed, implement a Web Application Firewall rule set to block common SQLi payloads and restrict the ID parameter
• Enforce parameterised queries and input validation; isolate the DB user to least privilege
• Disable or strongly restrict internet exposure of the admin interface; adopt IP allowlisting and network segmentation
• Implement enhanced logging, real-time alerting, and a patch-change window with rollback plan; document affected components.