EIP-2026-107541

PRE-CVE

Gym Management System 1.0 - Unauthenticated Remote Code Execution

Title source: legacy

Exploitation Summary

EIP tracks 1 public exploit for EIP-2026-107541. PoCs published by boku.

AI-analyzed exploit summary This exploit demonstrates an unauthenticated file upload vulnerability in Gym Management System 1.0, allowing remote code execution by bypassing image upload filters via double extensions and manipulated Content-Type headers. The PoC uploads a malicious PHP file and establishes a webshell for command execution.

Description

Gym Management System 1.0 - Unauthenticated Remote Code Execution

Exploits (1)

exploitdb WORKING POC

by boku · pythonwebappsphp

https://www.exploit-db.com/exploits/48506

View Code ZIP pw:eip

This exploit demonstrates an unauthenticated file upload vulnerability in Gym Management System 1.0, allowing remote code execution by bypassing image upload filters via double extensions and manipulated Content-Type headers. The PoC uploads a malicious PHP file and establishes a webshell for command execution.

Classification

Working Poc 100%

Attack Type

Rce

Complexity

Moderate

Reliability

Reliable

Target: Gym Management System 1.0

No auth needed

Prerequisites: Network access to the target web application · Python 2.7 environment

MITRE ATT&CK

T1105 - Ingress Tool Transfer T1505.003 - Web Shell

devstral-2 · analyzed Feb 18, 2026 Full analysis →

Details

Status pre_cve

Tracked Since Feb 18, 2026