Is there a public PoC exploit available for CVE-2025-11590?

Yes, a public proof-of-concept exploit is available for CVE-2025-11590. Prioritise patching immediately. EPSS: 0.0%.

CodeAstro Gym Management System CVE-2025-11590

Q: What is the CVSS score of CVE-2025-11590?

CVE-2025-11590 has a CVSS 4.0 base score of 2.1 (Low). CVSS vector: CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:L/VI:L/VA:L/SC:N/SI:N/SA:N/E:P/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X. EPSS exploitation probability: 0.0%.

LOW

Improper Neutralization of Special Elements in Output Used by a Downstream Component ('Injection') (CWE-74)

2025-10-11 cna@vuldb.com

PHP SQLi Gym Management System

2.1

CVSS 4.0 · NVD

Severity by source

NVD PRIMARY

2.1 LOW

CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:L/VI:L/VA:L/SC:N/SI:N/SA:N/E:P/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X

Primary rating from NVD · only source for this CVE.

CVSS VectorNVD

CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:L/VI:L/VA:L/SC:N/SI:N/SA:N/E:P/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X

Attack Vector

Network

Attack Complexity

Low

Privileges Required

Low

User Interaction

None

Scope

Lifecycle Timeline

Analysis Generated

Apr 29, 2026 - 02:15 vuln.today

DescriptionCVE.org

A weakness has been identified in CodeAstro Gym Management System 1.0. Affected by this vulnerability is an unknown functionality of the file /admin/equipment-entry.php. Executing a manipulation of the argument ename can lead to sql injection. It is possible to launch the attack remotely. The exploit has been made available to the public and could be used for attacks.

AnalysisAI

SQL injection in CodeAstro Gym Management System 1.0 allows authenticated remote attackers to manipulate the ename parameter in /admin/equipment-entry.php, enabling database query modification with low confidentiality, integrity, and availability impact. Publicly available exploit code exists but real-world risk is minimal due to low EPSS score (0.03%, 8th percentile), limited scope impact, and requirement for authenticated access despite the network attack vector.

Technical ContextAI

The vulnerability exists in the PHP-based administrative interface file /admin/equipment-entry.php where user-supplied input (ename parameter) is improperly sanitized before being used in SQL queries. This is a classic CWE-74 (Improper Neutralization of Special Elements in Output Used by a Downstream Component) manifestation, where the application fails to properly escape or parameterize the ename argument in SQL statement construction. The affected product is CodeAstro Gym Management System version 1.0, identified by CPE cpe:2.3:a:codeastro:gym_management_system:1.0:*:*:*:*:*:*:*. The vulnerability chain involves the web application accepting user input through HTTP requests to a PHP script that processes it directly into database queries without prepared statements or input validation.

RemediationAI

Primary remediation is to upgrade CodeAstro Gym Management System beyond version 1.0 if a patched version is available from the vendor; however, no specific patched version is confirmed in available data-contact CodeAstro directly at https://codeastro.com/ for patch availability and release timeline. Immediate compensating controls include: (1) restrict administrative access to /admin/equipment-entry.php via network firewall or Web Application Firewall (WAF) rules to trusted IP addresses only, reducing exposure to authenticated attack surface; (2) implement input validation and prepared statements (parameterized queries) in the equipment-entry.php file by using PHP PDO or mysqli with bound parameters instead of string concatenation for the ename parameter; (3) apply SQL error suppression to prevent information disclosure about database schema; (4) conduct a code audit of all other admin PHP files for similar SQL injection patterns, as the identified file may not be the only vulnerable entry point. The trade-off of IP-based restrictions is reduced accessibility for remote administrators-consider VPN or bastion host architecture as an alternative. Until patched, organizations should disable the equipment entry feature if not actively used.

More from same product – last 7 days

CVE-2026-49952 CRITICAL Act Now POC

9.3 Jun 15

Authentication bypass in Discuz! X5.0 releases 20260320 through 20260501 allows unauthenticated remote attackers to acce

CVE-2026-49954 HIGH This Week POC

8.6 Jun 15

Authenticated remote code execution in Discuz! X5.0 releases 20260320 through 20260501 allows administrators to chain a

CVE-2026-49768 CRITICAL Act Now

9.8 Jun 15

Unauthenticated PHP Object Injection in the Happyforms WordPress plugin (versions <= 1.26.13) allows remote attackers to

CVE-2026-27053 CRITICAL Act Now

9.8 Jun 15

Unauthenticated PHP Object Injection in the Broadcast Live Video WordPress plugin (versions prior to 7.1.3) allows remot

CVE-2026-49104 CRITICAL Act Now

9.8 Jun 15

Unauthenticated PHP object injection in the WordPress plugin 'Integration for Keap/Infusionsoft and Contact Form 7, WPFo

CVE-2025-11590 vulnerability details – vuln.today

Back

CodeAstro Gym Management System CVE-2025-11590

Severity by source

CVSS VectorNVD

Lifecycle Timeline

DescriptionCVE.org

AnalysisAI

Technical ContextAI

RemediationAI

More from same product – last 7 days

Share

External POC / Exploit Code