Cyber Resilience

CVE-2025-67146

CriticalPublic PoC

Published: 12 January 2026

Published
12 January 2026
Modified
27 January 2026
KEV Added
Patch
CVSS Score v3.1 9.4 CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:L
EPSS Score 0.0055 41.9th percentile
Risk Priority 70 floored blend · peak EPSS

Summary

CVE-2025-67146 is a critical-severity SQL Injection (CWE-89) vulnerability in Abhishekmali21 Gym Management System. Its CVSS base score is 9.4 (Critical).

Operationally, exploitation aligns with the MITRE ATT&CK technique Exploit Public-Facing Application (T1190); ranked at the 41.9th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog; a public proof-of-concept is referenced.

The strongest mitigations our analysis identified are NIST 800-53 SI-10 (Information Input Validation) and SI-2 (Flaw Remediation).

Deeper analysis

CVE-2025-67146, published on 2026-01-12, describes multiple SQL injection vulnerabilities (CWE-89) in AbhishekMali21 GYM-MANAGEMENT-SYSTEM version 1.0. The issues affect the 'name' parameter in member_search.php, trainer_search.php, and gym_search.php, as well as the 'id' parameter in payment_search.php, allowing injection of malicious SQL commands into database queries.

These vulnerabilities carry a CVSS v3.1 base score of 9.4 (AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:L). An unauthenticated remote attacker can exploit them over the network with low attack complexity, no privileges, and no user interaction required, achieving high confidentiality and integrity impacts alongside low availability impact. Successful exploitation enables unauthorized data extraction, authentication bypass, or modification of database contents.

Mitigation details are available in the referenced GitHub issue at https://github.com/AbhishekMali21/GYM-MANAGEMENT-SYSTEM/issues/4.

OWASP Top 10 for Web (2025)

EU & UK References

Vulnerability details

Multiple SQL Injection vulnerabilities exist in AbhishekMali21 GYM-MANAGEMENT-SYSTEM 1.0 via the 'name' parameter in (1) member_search.php, (2) trainer_search.php, and (3) gym_search.php, and via the 'id' parameter in (4) payment_search.php. An unauthenticated remote attacker can exploit these issues to inject malicious…

more

SQL commands, leading to unauthorized data extraction, authentication bypass, or modification of database contents.

CWE(s)

Related Threats

MITRE ATT&CK Enterprise TechniquesAI

T1190 Exploit Public-Facing Application Initial Access
Adversaries may attempt to exploit a weakness in an Internet-facing host or system to initially access a network.
T1213.006 Databases Collection
Adversaries may leverage databases to mine valuable information.
Why these techniques?

SQL injection in public-facing PHP web application enables exploitation of public-facing applications (T1190) and arbitrary database queries for data extraction (T1213.006).

Confidence: HIGH · MITRE ATT&CK Enterprise v19.0

CVEs Like This One

CVE-2018-25199Shared CWE-89
CVE-2026-27179Shared CWE-89
CVE-2025-0308Shared CWE-89
CVE-2019-25581Shared CWE-89
CVE-2026-27885Shared CWE-89
CVE-2019-25479Shared CWE-89
CVE-2026-1476Shared CWE-89
CVE-2019-25526Shared CWE-89
CVE-2025-69365Shared CWE-89
CVE-2019-25573Shared CWE-89

Affected Assets

abhishekmali21
gym management system
1.0

Mitigating Controls

Mitigating Controls (NIST 800-53 r5) AI

prevent

Directly prevents SQL injection by requiring validation of untrusted user inputs such as the 'name' and 'id' parameters in member_search.php, trainer_search.php, gym_search.php, and payment_search.php before database query execution.

prevent

Addresses remediation of the specific SQL injection flaws (CWE-89) in the identified PHP files, preventing unauthorized data extraction, authentication bypass, and database modification.

detect

Enables monitoring of system activities to identify SQL injection attempts through anomalous database queries or access patterns from exploitation of the vulnerable parameters.

References