CodeAstro Gym Management System CVE-2025-12261
LOWSeverity by source
CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:L/VI:L/VA:L/SC:N/SI:N/SA:N/E:P/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
Primary rating from NVD · only source for this CVE.
CVSS VectorNVD
CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:L/VI:L/VA:L/SC:N/SI:N/SA:N/E:P/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
Lifecycle Timeline
1DescriptionCVE.org
A vulnerability was found in CodeAstro Gym Management System 1.0. This affects an unknown function of the file /admin/actions/remove-announcement.php. Performing a manipulation of the argument ID results in sql injection. The attack can be initiated remotely. The exploit has been made public and could be used.
AnalysisAI
SQL injection in CodeAstro Gym Management System 1.0 allows authenticated remote attackers to manipulate the ID parameter in /admin/actions/remove-announcement.php, enabling unauthorized database query execution with limited confidentiality and integrity impact. Publicly available exploit code exists, but EPSS exploitation probability is extremely low (0.01th percentile), suggesting the vulnerability requires authenticated access and offers minimal real-world payoff despite network accessibility.
Technical ContextAI
The vulnerability exists in a PHP-based gym management application where the remove-announcement.php administrative function fails to properly sanitize or parameterize user-supplied input in the ID argument before incorporating it into SQL queries. This is a classic SQL injection vulnerability (CWE-74: Improper Neutralization of Special Elements used in an Output) where an attacker authenticated to the admin panel can craft malicious ID values containing SQL metacharacters (OR, UNION, comment sequences) to alter query logic. The affected CPE indicates CodeAstro Gym Management System version 1.0 is the sole confirmed vulnerable release.
RemediationAI
No vendor-released patch has been identified at time of analysis. Immediate mitigation requires upgrading to a patched version if the vendor has released one-contact CodeAstro directly at https://codeastro.com/ to confirm patch availability and version numbers. Compensating controls include: (1) Restrict admin-panel access (/admin/) to specific IP addresses or VPN networks via firewall or web server rules (.htaccess, nginx rewrite), reducing the attack surface even for authenticated users; (2) Implement Web Application Firewall (WAF) rules to detect and block SQL injection payloads in the ID parameter (e.g., block requests containing OR, UNION, comment sequences like --, /*); (3) Apply parameterized query (prepared statement) patterns in the remove-announcement.php function if source code is accessible and modifiable-replace direct SQL concatenation with placeholders. Each control trades operational complexity against risk: IP restriction may inconvenience remote admins; WAF rules risk false positives; code-level fixes require development resources. Until a vendor patch is confirmed, combining IP restriction with WAF detection provides the strongest defense.
More from same product – last 7 days
Authentication bypass in Discuz! X5.0 releases 20260320 through 20260501 allows unauthenticated remote attackers to acce
Authenticated remote code execution in Discuz! X5.0 releases 20260320 through 20260501 allows administrators to chain a
Unauthenticated PHP Object Injection in the Happyforms WordPress plugin (versions <= 1.26.13) allows remote attackers to
Unauthenticated PHP Object Injection in the Broadcast Live Video WordPress plugin (versions prior to 7.1.3) allows remot
Unauthenticated PHP object injection in the WordPress plugin 'Integration for Keap/Infusionsoft and Contact Form 7, WPFo
Share
External POC / Exploit Code
Leaving vuln.today