CVE-2025-10796 – This SQL injection vulnerability in Hostel Mana... (How to Fix)

Q: What is the severity of CVE-2025-10796?

CVE-2025-10796 has a CVSS score of 7.3 (HIGH). This SQL injection vulnerability in Hostel Management System 1.0 allows attackers to manipulate database queries through the email parameter in the admin login page. Remote attackers can potentially access, modify, or delete database content. All users running the vulnerable version are affected.

📋 TL;DR

This SQL injection vulnerability in Hostel Management System 1.0 allows attackers to manipulate database queries through the email parameter in the admin login page. Remote attackers can potentially access, modify, or delete database content. All users running the vulnerable version are affected.

💻 Affected Systems

Products:

Hostel Management System

Versions: 1.0

Operating Systems: All platforms running PHP

Default Config Vulnerable: ⚠️ Yes

Notes: The vulnerability exists in the default installation of version 1.0.

📦 What is this software?

Hostel Management System by Angeljudesuarez

View all CVEs affecting Hostel Management System →

⚠️ Risk & Real-World Impact

🔴

Worst Case

Complete database compromise leading to data theft, authentication bypass, privilege escalation, and potential system takeover.

🟠

Likely Case

Unauthorized database access allowing extraction of sensitive information like user credentials, personal data, and system configuration.

🟢

If Mitigated

Limited impact with proper input validation, parameterized queries, and network segmentation in place.

🌐 Internet-Facing: HIGH - The vulnerable endpoint is accessible remotely and public exploits exist.

🏢 Internal Only: MEDIUM - Internal attackers could exploit this if they have network access to the system.

🎯 Exploit Status

Public PoC: ⚠️ Yes

Weaponized: LIKELY

Unauthenticated Exploit: ⚠️ Yes

Complexity: LOW

Exploit details are publicly available and the vulnerability requires no authentication to exploit.

🛠️ Fix & Mitigation

✅ Official Fix

Patch Version: Unknown

Vendor Advisory: https://code-projects.org/

Restart Required: No

Instructions:

No official patch available. Consider implementing parameterized queries in /justines/admin/login.php or migrating to a different system.

🔧 Temporary Workarounds

Input Validation and Sanitization

all

Add server-side validation and sanitization for the email parameter before processing SQL queries.

Modify login.php to use prepared statements with parameterized queries

Web Application Firewall

all

Deploy a WAF with SQL injection protection rules to block malicious requests.

Configure WAF rules to detect and block SQL injection patterns

🧯 If You Can't Patch

Isolate the system behind a firewall with strict access controls
Implement network segmentation to limit exposure

🔍 How to Verify

Check if Vulnerable:

Test the /justines/admin/login.php endpoint with SQL injection payloads in the email parameter.

Check Version:

Check the system documentation or configuration files for version information.

Verify Fix Applied:

Verify that parameterized queries are implemented and SQL injection attempts are properly rejected.

📡 Detection & Monitoring

Log Indicators:

Unusual SQL error messages in application logs
Multiple failed login attempts with SQL-like patterns

Network Indicators:

HTTP POST requests to /justines/admin/login.php containing SQL keywords in parameters

SIEM Query:

source="web_logs" AND uri="/justines/admin/login.php" AND (param="email" AND value CONTAINS "' OR '" OR value CONTAINS "UNION" OR value CONTAINS "SELECT")

📊 Metadata

CVE ID: CVE-2025-10796

CVSS v3 Score: 7.3 (HIGH)

CVSS Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:L

CWE: CWE-74

EPSS Score: 0.05% exploit probability (15.4th percentile)

Published: September 22, 2025

Last Updated: September 25, 2025

🔗 References

https://code-projects.org/ Product
https://github.com/lishuyuan12138/CVE/issues/1 Exploit,Issue Tracking,Third Party Advisory
https://vuldb.com/?ctiid.325153 Permissions Required,VDB Entry
https://vuldb.com/?id.325153 Third Party Advisory,VDB Entry
https://vuldb.com/?submit.654090 Third Party Advisory,VDB Entry
https://github.com/lishuyuan12138/CVE/issues/1 Exploit,Issue Tracking,Third Party Advisory

📤 Share & Export

📄 Export Markdown 📋 Export JSON

🔗 Related Vulnerabilities

If you're affected by CVE-2025-10796, you might also want to check these: