Severity by source
CVSS:4.0/AV:N/AC:L/AT:N/PR:H/UI:N/VC:L/VI:L/VA:L/SC:N/SI:N/SA:N/E:P/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
Primary rating from NVD · only source for this CVE.
CVSS VectorNVD
CVSS:4.0/AV:N/AC:L/AT:N/PR:H/UI:N/VC:L/VI:L/VA:L/SC:N/SI:N/SA:N/E:P/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
Lifecycle Timeline
7DescriptionCVE.org
A vulnerability was found in code-projects Gym Management System 1.0. Affected by this vulnerability is an unknown functionality of the file /admin/edit_exercises.php. The manipulation of the argument edit_exercise results in sql injection. It is possible to launch the attack remotely. The exploit has been made public and could be used.
AnalysisAI
SQL injection in code-projects Gym Management System 1.0 allows authenticated high-privilege users to manipulate the edit_exercise parameter in /admin/edit_exercises.php, enabling remote database queries with limited confidentiality, integrity, and availability impact. Publicly available exploit code exists; CVSS 4.7 reflects low real-world risk due to high-privilege requirement (PR:H), though the vulnerability remains remotely accessible without user interaction.
Technical ContextAI
The vulnerability exists in a PHP-based gym management application where the /admin/edit_exercises.php endpoint fails to properly sanitize user input in the edit_exercise parameter before incorporating it into SQL queries. This is a classic SQL injection (CWE-89) flaw where unsanitized input flows directly into database commands. The CPE cpe:2.3:a:code-projects:gym_management_system:*:*:*:*:*:*:*:* indicates the entire product line version 1.0 and potentially beyond are affected. The vulnerability requires administrative-level privileges (PR:H in CVSS vector), meaning the attacker must already possess a high-privilege account within the application.
RemediationAI
The primary remediation is to apply a vendor-released patch or upgrade to a patched version of Gym Management System if available; contact code-projects.org or check VulDB (https://vuldb.com/vuln/360361) for patch availability and recommended version. Until a patch is deployed, restrict administrative access to the /admin/edit_exercises.php endpoint using web application firewall (WAF) rules that block requests containing SQL metacharacters (semicolons, quotes, parentheses, keywords like 'UNION', 'SELECT', 'DROP') in the edit_exercise parameter. Implement prepared statements or parameterized queries in the affected PHP code to prevent SQL injection at the application layer-replace all direct string concatenation in SQL queries with parameterized placeholders (e.g., mysqli prepared statements or PDO with bound parameters). Additionally, audit all admin user accounts and revoke high-privilege credentials from accounts not actively requiring them; enforce strong password policies and multi-factor authentication for admin panels to reduce the likelihood of credential compromise. Monitor database query logs for anomalous SQL patterns (e.g., UNION queries, multiple SELECTs, data exfiltration attempts) originating from the admin panel. These compensating controls introduce minimal performance overhead but require ongoing maintenance of WAF rules and log monitoring.
sapi/cgi/cgi_main.c in PHP before 5.3.12 and 5.4.x before 5.4.2, when configured as a CGI script (aka php-cgi), does not
(1) boardData102.php, (2) boardData103.php, (3) boardDataJP.php, (4) boardDataNA.php, and (5) boardDataWW.php in Netgear
ProjectSend versions prior to r1720 are affected by an improper authentication vulnerability. Rated critical severity (C
Roundcube Webmail contains a critical PHP object deserialization vulnerability (CVE-2025-49113, CVSS 9.9) that allows au
Util/PHP/eval-stdin.php in PHPUnit before 4.8.28 and 5.x before 5.6.3 allows remote attackers to execute arbitrary PHP c
Palo Alto Networks PAN-OS management web interface contains an authentication bypass allowing unauthenticated attackers
Nagios XI version xi-5.7.5 is affected by OS command injection. Rated high severity (CVSS 8.8), this vulnerability is re
Nagios XI version xi-5.7.5 is affected by OS command injection. Rated high severity (CVSS 8.8), this vulnerability is re
The get_referers function in /opt/ws/bin/sblistpack in Sophos Web Appliance before 3.7.9.1 and 3.8 before 3.8.1.1 allows
The Backup Migration plugin for WordPress is vulnerable to Remote Code Execution in all versions up to, and including, 1
NetAlertX (formerly PiAlert) versions 23.01.14 through 24.x before 24.10.12 allow unauthenticated command injection thro
The GiveWP - Donation Plugin and Fundraising Platform plugin for WordPress is vulnerable to PHP Object Injection in all
Same weakness CWE-89 – SQL Injection
View allShare
External POC / Exploit Code
Leaving vuln.today
EUVD-2026-26478