CVE-2025-67147
CRITICALGym-Management-System-PHP 1.0 - SQL Injection
Title source: llmDescription
Multiple SQL Injection vulnerabilities exist in amansuryawanshi Gym-Management-System-PHP 1.0 via the 'name', 'email', and 'comment' parameters in (1) submit_contact.php, the 'username' and 'pass_key' parameters in (2) secure_login.php, and the 'login_id', 'pwfield', and 'login_key' parameters in (3) change_s_pwd.php. An unauthenticated or authenticated attacker can exploit these issues to bypass authentication, execute arbitrary SQL commands, modify database records, delete data, or escalate privileges to administrator level.
Exploits (1)
github
WORKING POC
by sivaadityacoder · phppoc
https://github.com/sivaadityacoder/CVE-2025-67146-CVE-2025-67147
Scores
CVSS v3
9.8
EPSS
0.0008
EPSS Percentile
24.2%
Attack Vector
NETWORK
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
Details
CWE
CWE-89
Status
published
Published
Jan 12, 2026
Tracked Since
Feb 18, 2026