Description
A vulnerability has been found in code-projects Simple Gym Management System up to 1.0. This affects an unknown part of the file /gym/func.php. Such manipulation of the argument Trainer_id/fname leads to sql injection. The attack can be executed remotely. The exploit has been disclosed to the public and may be used.
Published: 2026-03-22
Score: 5.1 Medium
EPSS: < 1% Very Low
KEV: No
Impact: Remote SQL Injection
Action: Apply Patch
AI Analysis

Impact

A remote SQL injection vulnerability exists in the code-projects Simple Gym Management System, affecting the /gym/func.php file in versions up to 1.0. By manipulating the Trainer_id and fname parameters, an attacker can inject arbitrary SQL code. This flaw can compromise the confidentiality and integrity of the database, allowing unauthorized read or modification of member and trainer data.

Affected Systems

The vulnerability targets the Simple Gym Management System provided by code-projects, specifically versions up to 1.0. The insecure logic resides in the func.php script, which processes trainer and member information. Users running any unpatched installation of this product should verify their version and apply updates if available.

Risk and Exploitability

With a CVSS base score of 5.1, the risk is moderate. Although no EPSS data is available, the issue has been publicly disclosed and can be exploited remotely via crafted HTTP requests. The vulnerability is not yet listed in the CISA KEV catalog, but its exploitability through a typical web request suggests a realistic attack surface. Organizations should treat this as a potential threat to database integrity and confidentiality.

Generated by OpenCVE AI on March 22, 2026 at 15:21 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Update the application to a version newer than 1.0.
  • Restrict external access to the vulnerable endpoint.
  • Implement input validation and use parameterized queries.
  • Monitor web server logs for suspicious SQL activity.

Generated by OpenCVE AI on March 22, 2026 at 15:21 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Mon, 23 Mar 2026 16:15:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'poc', 'Technical Impact': 'partial'}, 'version': '2.0.3'}

Mon, 23 Mar 2026 10:00:00 +0000

Type Values Removed Values Added
First Time appeared Code-projects
Code-projects simple Gym Management System
Vendors & Products Code-projects
Code-projects simple Gym Management System

Sun, 22 Mar 2026 14:00:00 +0000

Type Values Removed Values Added
Description A vulnerability has been found in code-projects Simple Gym Management System up to 1.0. This affects an unknown part of the file /gym/func.php. Such manipulation of the argument Trainer_id/fname leads to sql injection. The attack can be executed remotely. The exploit has been disclosed to the public and may be used.
Title code-projects Simple Gym Management System func.php sql injection
Weaknesses CWE-74
CWE-89
References
Metrics cvssV2_0

{'score': 5.8, 'vector': 'AV:N/AC:L/Au:M/C:P/I:P/A:P/E:POC/RL:ND/RC:UR'}

cvssV3_0

{'score': 4.7, 'vector': 'CVSS:3.0/AV:N/AC:L/PR:H/UI:N/S:U/C:L/I:L/A:L/E:P/RL:X/RC:R'}

cvssV3_1

{'score': 4.7, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:L/I:L/A:L/E:P/RL:X/RC:R'}

cvssV4_0

{'score': 5.1, 'vector': 'CVSS:4.0/AV:N/AC:L/AT:N/PR:H/UI:N/VC:L/VI:L/VA:L/SC:N/SI:N/SA:N/E:P'}

Subscriptions

Code-projects Simple Gym Management System
cve-icon MITRE

Status: PUBLISHED

Assigner: VulDB

Published:

Updated: 2026-03-23T15:29:24.803Z

Reserved: 2026-03-21T16:51:02.531Z

Link: CVE-2026-4550

cve-icon Vulnrichment

Updated: 2026-03-23T15:29:14.121Z

cve-icon NVD

Status : Awaiting Analysis

Published: 2026-03-22T14:16:35.243

Modified: 2026-03-23T16:16:52.370

Link: CVE-2026-4550

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-03-25T14:50:36Z

Weaknesses