CVE-2025-41081
Unknown Unknown - Not Provided
Reflected XSS in IsMyGym PHP Allows Session Hijacking

Publication date: 2026-01-20

Last updated on: 2026-02-26

Assigner: Spanish National Cybersecurity Institute, S.A. (INCIBE)

Description
Reflected Cross-Site Scripting (XSS) vulnerability in IsMyGym by Zuinq Studio. This vulnerability allows an attacker to execute JavaScript code in the victim's browser by sending them a malicious URL with '/<PATH>.php/<XSS>'. This vulnerability can be exploited to steal sensitive user data, such as session cookies, or to perform actions on behalf of the user.
CVSS Scores
EPSS Scores
Probability:
Percentile:
Meta Information
Published
2026-01-20
Last Modified
2026-02-26
Generated
2026-06-16
AI Q&A
2026-01-20
EPSS Evaluated
2026-06-15
NVD
CVE-2025-41081
EUVD
EUVD-2026-3445
Affected Vendors & Products
Showing 1 associated CPE
Vendor Product Version / Range
zuinq_studio ismygym *
Helpful Resources
Exploitability
CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-79 The product does not neutralize or incorrectly neutralizes user-controllable input before it is placed in output that is used as a web page that is served to other users.
Attack-Flow Graph
AI Quick Actions
Instant insights powered by AI
Executive Summary

CVE-2025-41081 is a reflected Cross-Site Scripting (XSS) vulnerability in IsMyGym, a gym management system by Zuinq Studio. It allows an attacker to execute arbitrary JavaScript code in a victim's browser by sending them a malicious URL formatted as '/<PATH>.php/<XSS>'. This means the attacker can trick users into clicking a specially crafted link that runs harmful scripts in their browser. [1]

Impact Analysis

This vulnerability can lead to theft of sensitive user data such as session cookies, which can be used to hijack user sessions. Additionally, an attacker can perform unauthorized actions on behalf of the user, potentially compromising user accounts and data integrity. [1]

Detection Guidance

This vulnerability can be detected by testing for reflected Cross-Site Scripting (XSS) in the IsMyGym application. Specifically, you can attempt to access URLs formatted as '/<PATH>.php/<XSS>' where <XSS> is a JavaScript payload, and observe if the payload is executed or reflected in the response. For example, you can use curl or a browser to send requests with payloads such as '/index.php/<script>alert(1)</script>' and check if the script executes or appears in the response. Automated tools like OWASP ZAP or Burp Suite can also be used to scan for reflected XSS vulnerabilities by injecting scripts into URL parameters and paths. [1]

Mitigation Strategies

The immediate step to mitigate this vulnerability is to update IsMyGym to the latest version where Zuinq Studio has fixed the reflected XSS vulnerability. Additionally, as a temporary measure, you can implement input validation and output encoding on the server side to prevent execution of injected scripts. Employing Web Application Firewalls (WAF) to block malicious requests containing suspicious script payloads can also help reduce risk until the update is applied. [1]

Compliance Impact

This vulnerability allows attackers to steal sensitive user data such as session cookies and perform unauthorized actions on behalf of users, which could lead to violations of data protection regulations like GDPR or HIPAA due to unauthorized access and potential data breaches. However, specific impacts on compliance are not detailed in the provided resources. [1]

Chat Assistant
Ask questions about this CVE
Hi! I’m here to help you understand CVE-2025-41081. Ask me anything about the vulnerability, its impact, or mitigation strategies.
0/70
EPSS Chart