CVE-2026-26709
SQL Injection in Simple Gym Management System Trainer Search
Publication date: 2026-03-02
Last updated on: 2026-03-06
Assigner: MITRE
Description
Description
CVSS Scores
EPSS Scores
| Probability: | |
| Percentile: |
Meta Information
Affected Vendors & Products
| Vendor | Product | Version / Range |
|---|---|---|
| carmelo | simple_gym_management_system | 1.0 |
Helpful Resources
Exploitability
| CWE ID | Description |
|---|---|
| CWE-89 | The product constructs all or part of an SQL command using externally-influenced input from an upstream component, but it does not neutralize or incorrectly neutralizes special elements that could modify the intended SQL command when it is sent to a downstream component. Without sufficient removal or quoting of SQL syntax in user-controllable inputs, the generated SQL query can cause those inputs to be interpreted as SQL instead of ordinary user data. |
Attack-Flow Graph
AI Powered Q&A
Can you explain this vulnerability to me?
The vulnerability in code-projects Simple Gym Management System v1.0 is an SQL Injection found in the /gym/trainer_search.php file.
SQL Injection is a security flaw that allows an attacker to manipulate the database queries by injecting malicious SQL code through input fields, potentially leading to unauthorized data access or modification.
How can this vulnerability impact me? :
This SQL Injection vulnerability can allow attackers to access, modify, or delete sensitive data stored in the gym management system's database.
It may lead to unauthorized disclosure of personal information, data corruption, or even full system compromise depending on the database permissions.
How does this vulnerability affect compliance with common standards and regulations (like GDPR, HIPAA)?:
I don't know
How can this vulnerability be detected on my network or system? Can you suggest some commands?
[{'type': 'paragraph', 'content': 'The vulnerability is an SQL Injection in the /gym/trainer_search.php endpoint of the code-projects Simple Gym Management System v1.0.'}, {'type': 'paragraph', 'content': 'To detect this vulnerability, you can attempt to inject SQL payloads into the trainer_search.php parameter inputs and observe if the system behaves unexpectedly or returns SQL errors.'}, {'type': 'list_item', 'content': 'Use curl or similar tools to send crafted requests, for example: curl -G \'http://target/gym/trainer_search.php\' --data-urlencode "search=\' OR \'1\'=\'1"'}, {'type': 'list_item', 'content': 'Use automated SQL injection detection tools such as sqlmap targeting the vulnerable URL: sqlmap -u "http://target/gym/trainer_search.php?search=test" --batch'}] [1]
What immediate steps should I take to mitigate this vulnerability?
Immediate mitigation steps include sanitizing and validating all user inputs on the /gym/trainer_search.php page to prevent SQL injection.
Use prepared statements or parameterized queries in the backend code to handle database queries safely.
If possible, restrict access to the vulnerable endpoint until a patch or fix is applied.
Monitor logs for suspicious input patterns that may indicate exploitation attempts.