PT-2026-2301 · Unknown · Gym Management System
Published
2026-01-12
·
Updated
2026-01-27
·
CVE-2025-67146
CVSS v3.1
9.4
Critical
| Vector | AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:L |
Name of the Vulnerable Software and Affected Versions
AbhishekMali21 GYM-MANAGEMENT-SYSTEM version 1.0
Description
The application contains multiple SQL Injection flaws. These issues are present via the
name parameter in the member search.php, trainer search.php, and gym search.php files, and via the id parameter in the payment search.php file. A remote attacker who does not need to be authenticated can inject malicious SQL commands. Successful exploitation could lead to unauthorized data extraction, authentication bypass, or modification of database contents.Recommendations
Apply input validation and sanitization to the
name parameter in member search.php.
Apply input validation and sanitization to the name parameter in trainer search.php.
Apply input validation and sanitization to the name parameter in gym search.php.
Apply input validation and sanitization to the id parameter in payment search.php.Exploit
Fix
SQL injection
Found an issue in the description? Have something to add? Feel free to write us 👾
Weakness Enumeration
Related Identifiers
Affected Products
Gym Management System