Skip to main content

CodeAstro Gym Management System CVE-2025-11593

LOW
Improper Neutralization of Special Elements in Output Used by a Downstream Component ('Injection') (CWE-74)
2025-10-11 cna@vuldb.com
PHP SQLi Gym Management System
2.1
CVSS 4.0 · NVD

Severity by source

NVD PRIMARY
2.1 LOW
CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:L/VI:L/VA:L/SC:N/SI:N/SA:N/E:P/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X

Primary rating from NVD · only source for this CVE.

CVSS VectorNVD

CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:L/VI:L/VA:L/SC:N/SI:N/SA:N/E:P/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
Attack Vector
Network
Attack Complexity
Low
Privileges Required
Low
User Interaction
None
Scope
X

Lifecycle Timeline

1
Analysis Generated
Apr 29, 2026 - 02:15 vuln.today

DescriptionCVE.org

A flaw has been found in CodeAstro Gym Management System 1.0. This vulnerability affects unknown code of the file /admin/actions/delete-equipment.php. This manipulation of the argument ID causes sql injection. The attack may be initiated remotely. The exploit has been published and may be used.

AnalysisAI

SQL injection in CodeAstro Gym Management System 1.0 allows authenticated remote attackers to execute arbitrary SQL queries via the ID parameter in /admin/actions/delete-equipment.php. The vulnerability requires valid user credentials (PR:L) and has publicly available exploit code; however, the EPSS score of 0.03% and limited impact scope (VC:L/VI:L/VA:L) indicate low real-world exploitation probability despite technical exploitability.

Technical ContextAI

The vulnerability exists in PHP code handling database operations within the admin panel's equipment deletion endpoint. The ID parameter in /admin/actions/delete-equipment.php is not properly sanitized or parameterized before being incorporated into SQL queries, violating CWE-74 (Improper Neutralization of Special Elements in Output Used by a Downstream Component). The affected product is a lightweight PHP-based gym management application (CPE: cpe:2.3:a:codeastro:gym_management_system:1.0:*:*:*:*:*:*:*) likely using direct string concatenation in SQL statement construction rather than prepared statements.

RemediationAI

Apply a security patch to version 1.1 or later once released by CodeAstro; contact vendor at https://codeastro.com/ for patched version availability. Immediate workaround: implement input validation and parameterized queries (prepared statements) in /admin/actions/delete-equipment.php to neutralize SQL injection - replace direct string concatenation with parameterized placeholders (e.g., PHP PDO with named parameters or mysqli prepared statements). Additionally, restrict access to /admin/ paths to internal IP ranges or a VPN, and audit database user privileges to ensure the PHP application runs with minimal required permissions (e.g., SELECT and DELETE on equipment table only, not full admin). These controls eliminate exploitation vectors while awaiting vendor patch.

More from same product – last 7 days

CVE-2026-49952 CRITICAL POC
9.3 Jun 15

Authentication bypass in Discuz! X5.0 releases 20260320 through 20260501 allows unauthenticated remote attackers to acce
CVE-2026-49954 HIGH POC
8.6 Jun 15

Authenticated remote code execution in Discuz! X5.0 releases 20260320 through 20260501 allows administrators to chain a

CVE-2026-49768 CRITICAL
9.8 Jun 15

Unauthenticated PHP Object Injection in the Happyforms WordPress plugin (versions <= 1.26.13) allows remote attackers to
CVE-2026-27053 CRITICAL
9.8 Jun 15

Unauthenticated PHP Object Injection in the Broadcast Live Video WordPress plugin (versions prior to 7.1.3) allows remot
CVE-2026-49104 CRITICAL
9.8 Jun 15

Unauthenticated PHP object injection in the WordPress plugin 'Integration for Keap/Infusionsoft and Contact Form 7, WPFo

Share

CVE-2025-11593 vulnerability details – vuln.today
Back

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy