Reflected Cross-Site Scripting (XSS) in IsMyGym
IsMyGym.
INCIBE has coordinated the publication of one medium-severity vulnerability affecting IsMyGym by Zuinq Studio, a system for managing gyms. The vulnerability was discovered by Gonzalo Aguilar García (6h4ack).
This vulnerability has been assigned the following code, CVSS v4.0 base score, CVSS vector, and CWE vulnerability type:
- CVE-2025-41081: CVSS v4.0: 5.1 | CVSS AV:N/AC:L/AT:N/PR:N/UI:A/VC:N/VI:N/VA:N/SC:L/SI:L/SA:N | CWE-79
The vulnerability has been fixed by Zuinq Studio's team in the latest version
La vulnerabilidad ha sido solucionada por el equipo de Zuinq Studio en la última versión.
CVE-2025-41081: reflected Cross-Site Scripting (XSS) vulnerability in IsMyGym by Zuinq Studio. This vulnerability allows an attacker to execute JavaScript code in the victim's browser by sending them a malicious URL with '/<PATH>.php/<XSS>'. This vulnerability can be exploited to steal sensitive user data, such as session cookies, or to perform actions on behalf of the user.
