CVE-2026-7716
Description
A vulnerability was found in code-projects Gym Management System In PHP and Windows NT 1.0. This vulnerability affects unknown code of the file /index.php. Performing a manipulation of the argument day results in sql injection. The attack can be initiated remotely. The exploit has been made public and could be used.
AI Insight
LLM-synthesized narrative grounded in this CVE's description and references.
SQL injection vulnerability in Gym Management System in PHP 1.0 allows remote attackers to execute arbitrary SQL commands via the `day` parameter in /index.php.
Root
Cause The vulnerability exists in functions/functions.php lines 31-57, where the $_GET['day'] parameter is directly concatenated into an SQL query without sanitization or parameterization [1]. The query SELECT * FROM exercises WHERE day_id='$day_id' allows an attacker to inject arbitrary SQL payloads.
Exploitation
An authenticated attacker can craft a malicious day parameter in a GET request to /index.php. The provided proof-of-concept demonstrates a UNION-based injection that reflects injected data on the page, confirming the vulnerability's exploitability [1]. The exploit requires a valid session cookie but no additional privileges.
Impact
Successful exploitation enables the attacker to execute arbitrary SQL commands, leading to data exfiltration. As demonstrated, an attacker can use sqlmap to dump the admin table, retrieving credentials and other sensitive information [1].
Mitigation
The vendor has not released a patch; users should apply input validation and parameterized queries. The exploit is publicly available, increasing the risk of widespread attacks.
AI Insight generated on May 18, 2026. Synthesized from this CVE's description and the cited reference URLs; citations are validated against the source bundle.
Affected products
1- Range: =1.0
Patches
0No patches discovered yet.
Vulnerability mechanics
AI mechanics synthesis has not run for this CVE yet.
References
5News mentions
0No linked articles in our index yet.