CodeAstro Gym Management System CVE-2025-11592
LOWSeverity by source
CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:L/VI:L/VA:L/SC:N/SI:N/SA:N/E:P/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
Primary rating from NVD · only source for this CVE.
CVSS VectorNVD
CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:L/VI:L/VA:L/SC:N/SI:N/SA:N/E:P/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
Lifecycle Timeline
1DescriptionCVE.org
A vulnerability was detected in CodeAstro Gym Management System 1.0. This affects an unknown part of the file /admin/edit-equipmentform.php. The manipulation of the argument ID results in sql injection. The attack can be launched remotely. The exploit is now public and may be used.
AnalysisAI
SQL injection in CodeAstro Gym Management System 1.0 allows authenticated remote attackers to execute arbitrary SQL queries via the ID parameter in /admin/edit-equipmentform.php. The vulnerability requires valid user credentials (privilege level L) but no user interaction. Publicly available exploit code exists, though EPSS indicates very low real-world exploitation probability (0.03%, 8th percentile). Despite the public POC, the CVSS 2.1 score and minimal impact scope (VC:L/VI:L/VA:L with no scope change) suggest limited practical risk in most deployments.
Technical ContextAI
The vulnerability stems from improper input validation in a PHP-based web application. The /admin/edit-equipmentform.php endpoint accepts an ID parameter that is used directly in SQL queries without parameterized statements or prepared statements, allowing SQL injection (CWE-74: Improper Neutralization of Special Elements used in an SQL Command). The affected product is CodeAstro's Gym Management System, a PHP-based application running on web servers. The SQLi can be exploited only by authenticated administrators or users with PR:L (Low privilege) access to the admin panel, limiting the attack surface significantly. The network-accessible endpoint (AV:N) combined with low attack complexity (AC:L) makes the vulnerability trivially exploitable once an attacker has credentials, but initial compromise requires legitimate admin-level account access or credential theft.
RemediationAI
Upgrade CodeAstro Gym Management System to a patched version released after CVE-2025-11592 disclosure (exact patched version not confirmed in available data). If an upgrade is unavailable or delayed, implement the following compensating controls: (1) restrict /admin/edit-equipmentform.php access to a whitelist of trusted IP addresses or a VPN-only network segment, reducing remote attack surface; (2) enforce strong authentication policies including multi-factor authentication for admin accounts, significantly raising credential compromise risk; (3) implement Web Application Firewall (WAF) rules to detect and block common SQL injection payloads in the ID parameter (trade-off: potential false positives requiring tuning); (4) monitor database query logs for anomalous SQL patterns in the edit-equipment endpoint. Validate with CodeAstro directly (https://codeastro.com/) for patch availability and timeline.
More from same product – last 7 days
Authentication bypass in Discuz! X5.0 releases 20260320 through 20260501 allows unauthenticated remote attackers to acce
Authenticated remote code execution in Discuz! X5.0 releases 20260320 through 20260501 allows administrators to chain a
Unauthenticated PHP Object Injection in the Happyforms WordPress plugin (versions <= 1.26.13) allows remote attackers to
Unauthenticated PHP Object Injection in the Broadcast Live Video WordPress plugin (versions prior to 7.1.3) allows remot
Unauthenticated PHP object injection in the WordPress plugin 'Integration for Keap/Infusionsoft and Contact Form 7, WPFo
Share
External POC / Exploit Code
Leaving vuln.today