Key Information Vulnerability ID: CVE-2025-10845 Vulnerability Type: Time-based Blind SQL Injection Affected Component: endpoint in the i-Educar open-source project Vulnerable Parameter: Technical Details: - Vulnerable Endpoint: - Affected Parameter: - Payload (Encoded): - Payload (Decoded): Proof of Concept (PoC): - Navigate to and select an ID. - In the vulnerable endpoint, inject the payload into the parameter (e.g., ). - The server will respond after a 5-second delay, confirming successful execution of the SQL query. Impact: - Access to sensitive data stored in the database. - Enumeration of database structure, tables, and columns. - Modification, deletion, or addition of arbitrary data. - Exposure of credit card details and personal information. - Execution of Denial-of-Service (DoS) attacks by triggering long delays. - In some cases, escalation to Remote Code Execution (RCE). Official Sources: - CVE-2025-10845 on CVE.org - VulDB Entry Conclusion: SQL injection attacks remain one of the most critical threats to web applications, especially when they are stealthy and time-based blind. This discovery demonstrates how a single unvalidated parameter can compromise an entire database platform.