CVE-2025-41081
Reflected XSS in IsMyGym PHP Allows Session Hijacking
Publication date: 2026-01-20
Last updated on: 2026-02-26
Assigner: Spanish National Cybersecurity Institute, S.A. (INCIBE)
Description
Description
CVSS Scores
EPSS Scores
| Probability: | |
| Percentile: |
Meta Information
Affected Vendors & Products
| Vendor | Product | Version / Range |
|---|---|---|
| zuinq_studio | ismygym | * |
Helpful Resources
Exploitability
| CWE ID | Description |
|---|---|
| CWE-79 | The product does not neutralize or incorrectly neutralizes user-controllable input before it is placed in output that is used as a web page that is served to other users. |
Attack-Flow Graph
AI Powered Q&A
Can you explain this vulnerability to me?
CVE-2025-41081 is a reflected Cross-Site Scripting (XSS) vulnerability in IsMyGym, a gym management system by Zuinq Studio. It allows an attacker to execute arbitrary JavaScript code in a victim's browser by sending them a malicious URL formatted as '/<PATH>.php/<XSS>'. This means the attacker can trick users into clicking a specially crafted link that runs harmful scripts in their browser. [1]
How can this vulnerability impact me? :
This vulnerability can lead to theft of sensitive user data such as session cookies, which can be used to hijack user sessions. Additionally, an attacker can perform unauthorized actions on behalf of the user, potentially compromising user accounts and data integrity. [1]
How can this vulnerability be detected on my network or system? Can you suggest some commands?
This vulnerability can be detected by testing for reflected Cross-Site Scripting (XSS) in the IsMyGym application. Specifically, you can attempt to access URLs formatted as '/<PATH>.php/<XSS>' where <XSS> is a JavaScript payload, and observe if the payload is executed or reflected in the response. For example, you can use curl or a browser to send requests with payloads such as '/index.php/<script>alert(1)</script>' and check if the script executes or appears in the response. Automated tools like OWASP ZAP or Burp Suite can also be used to scan for reflected XSS vulnerabilities by injecting scripts into URL parameters and paths. [1]
What immediate steps should I take to mitigate this vulnerability?
The immediate step to mitigate this vulnerability is to update IsMyGym to the latest version where Zuinq Studio has fixed the reflected XSS vulnerability. Additionally, as a temporary measure, you can implement input validation and output encoding on the server side to prevent execution of injected scripts. Employing Web Application Firewalls (WAF) to block malicious requests containing suspicious script payloads can also help reduce risk until the update is applied. [1]
How does this vulnerability affect compliance with common standards and regulations (like GDPR, HIPAA)?:
This vulnerability allows attackers to steal sensitive user data such as session cookies and perform unauthorized actions on behalf of users, which could lead to violations of data protection regulations like GDPR or HIPAA due to unauthorized access and potential data breaches. However, specific impacts on compliance are not detailed in the provided resources. [1]