CVE-2025-67147

CRITICAL

Gym-Management-System-PHP 1.0 - SQL Injection

Title source: llm
STIX 2.1

Exploitation Summary

EIP tracks 1 public exploit for CVE-2025-67147. PoCs published by sivaadityacoder.

AI-analyzed exploit summary The repository contains functional PHP exploit code demonstrating SQL injection vulnerabilities in a gym management system. The code shows direct user input concatenation into SQL queries without proper sanitization, enabling SQLi attacks.

Description

Multiple SQL Injection vulnerabilities exist in amansuryawanshi Gym-Management-System-PHP 1.0 via the 'name', 'email', and 'comment' parameters in (1) submit_contact.php, the 'username' and 'pass_key' parameters in (2) secure_login.php, and the 'login_id', 'pwfield', and 'login_key' parameters in (3) change_s_pwd.php. An unauthenticated or authenticated attacker can exploit these issues to bypass authentication, execute arbitrary SQL commands, modify database records, delete data, or escalate privileges to administrator level.

Exploits (1)

github WORKING POC
by sivaadityacoder · phppoc
https://github.com/sivaadityacoder/CVE-2025-67146-CVE-2025-67147

The repository contains functional PHP exploit code demonstrating SQL injection vulnerabilities in a gym management system. The code shows direct user input concatenation into SQL queries without proper sanitization, enabling SQLi attacks.

Classification
Working Poc 95%
Attack Type
Sqli
Complexity
Trivial
Reliability
Reliable
Target: Gym Management System (version unspecified)
No auth needed
Prerequisites: access to vulnerable web application endpoints
devstral-2 · analyzed Apr 25, 2026 Full analysis →

References (1)

Core 1

Scores

CVSS v3 9.8
EPSS 0.0005
EPSS Percentile 15.6%
Attack Vector NETWORK
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

CISA SSVC

Vulnrichment
Exploitation poc
Automatable yes
Technical Impact total

Details

CWE
CWE-89
Status published
Published Jan 12, 2026
Tracked Since Feb 18, 2026