CVE-2025-41081

A reflected Cross-Site Scripting (XSS) vulnerability, identified as CVE-2025-41081 affects IsMyGym by Zuinq Studio, a gym management system. The bug resides in how the application handles URL paths: a malicious URL containing '/.php/' causes the server to reflect the injected script back to the user's browser without proper sanitization [1]. This is classified under CWE-79 and has been assigned a CVSS v4.0 base score of 5.1 (medium severity) [1].

To exploit this vulnerability, an unauthenticated victim, an attacker crafts a malicious link that includes arbitrary JavaScript in the path segment after a .php extension. The attacker then convinces the user to click the link (leveraging user interaction is required), and the script executes in the victim's browser within the context of the vulnerable IsMyGym application [1]. No authentication is needed for the attack to succeed.

The impact of successful exploitation includes theft of session cookies, which could allow an attacker to impersonation of the victim, as well as performing actions on the victim's behalf within the application. The attacker can also deface pages or redirect the user to malicious sites [1].

The vulnerability has been fixed by Zuinq Studio's team in the latest version of IsMyGym. Users are advised to update to the patched release to mitigate the risk [1].

## References 1. INCIBE advisory – Reflected Cross-Site Scripting (XSS) in IsMyGym