CVE-2025-67146

CRITICAL

Abhishekmali21 Gym Management System - SQL Injection

Title source: rule

Description

Multiple SQL Injection vulnerabilities exist in AbhishekMali21 GYM-MANAGEMENT-SYSTEM 1.0 via the 'name' parameter in (1) member_search.php, (2) trainer_search.php, and (3) gym_search.php, and via the 'id' parameter in (4) payment_search.php. An unauthenticated remote attacker can exploit these issues to inject malicious SQL commands, leading to unauthorized data extraction, authentication bypass, or modification of database contents.

Exploits (1)

github WORKING POC

by sivaadityacoder · phppoc

https://github.com/sivaadityacoder/CVE-2025-67146-CVE-2025-67147

View Code ZIP pw:eip

References (1)

[Exploit, Third Party Advisory] https://github.com/AbhishekMali21/GYM-MANAGEMENT-SYSTEM/issues/4

Scores

CVSS v3 9.4

EPSS 0.0013

EPSS Percentile 32.2%

Attack Vector NETWORK

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:L

Details

CWE

CWE-89

Status published

Products (1)

abhishekmali21/gym_management_system 1.0

Published Jan 12, 2026

Tracked Since Feb 18, 2026