{"dataType": "CVE_RECORD", "dataVersion": "5.2", "cveMetadata": {"cveId": "CVE-2026-5206", "assignerOrgId": "1af790b2-7ee1-4545-860a-a788eba489b5", "state": "PUBLISHED", "assignerShortName": "VulDB", "dateReserved": "2026-03-31T08:52:35.942Z", "datePublished": "2026-03-31T17:30:13.639Z", "dateUpdated": "2026-04-01T13:57:53.811Z"}, "containers": {"cna": {"providerMetadata": {"orgId": "1af790b2-7ee1-4545-860a-a788eba489b5", "shortName": "VulDB", "dateUpdated": "2026-03-31T17:30:13.639Z"}, "title": "code-projects Simple Gym Management System Payment sql injection", "problemTypes": [{"descriptions": [{"type": "CWE", "cweId": "CWE-89", "lang": "en", "description": "SQL Injection"}]}, {"descriptions": [{"type": "CWE", "cweId": "CWE-74", "lang": "en", "description": "Injection"}]}], "affected": [{"vendor": "code-projects", "product": "Simple Gym Management System", "versions": [{"version": "1.0", "status": "affected"}], "modules": ["Payment Handler"]}], "descriptions": [{"lang": "en", "value": "A security vulnerability has been detected in code-projects Simple Gym Management System 1.0. This vulnerability affects unknown code of the component Payment Handler. The manipulation of the argument Payment_id/Amount/customer_id/payment_type/customer_name leads to sql injection. Remote exploitation of the attack is possible. The exploit has been disclosed publicly and may be used."}], "metrics": [{"cvssV4_0": {"version": "4.0", "baseScore": 5.3, "vectorString": "CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:L/VI:L/VA:L/SC:N/SI:N/SA:N/E:P", "baseSeverity": "MEDIUM"}}, {"cvssV3_1": {"version": "3.1", "baseScore": 6.3, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:L/E:P/RL:X/RC:R", "baseSeverity": "MEDIUM"}}, {"cvssV3_0": {"version": "3.0", "baseScore": 6.3, "vectorString": "CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:L/E:P/RL:X/RC:R", "baseSeverity": "MEDIUM"}}, {"cvssV2_0": {"version": "2.0", "baseScore": 6.5, "vectorString": "AV:N/AC:L/Au:S/C:P/I:P/A:P/E:POC/RL:ND/RC:UR"}}], "timeline": [{"time": "2026-03-31T00:00:00.000Z", "lang": "en", "value": "Advisory disclosed"}, {"time": "2026-03-31T02:00:00.000Z", "lang": "en", "value": "VulDB entry created"}, {"time": "2026-03-31T10:57:40.000Z", "lang": "en", "value": "VulDB entry last update"}], "credits": [{"lang": "en", "value": "nomath (VulDB User)", "type": "reporter"}], "references": [{"url": "https://vuldb.com/vuln/354336", "name": "VDB-354336 | code-projects Simple Gym Management System Payment sql injection", "tags": ["vdb-entry", "technical-description"]}, {"url": "https://vuldb.com/vuln/354336/cti", "name": "VDB-354336 | CTI Indicators (IOB, IOC, TTP, IOA)", "tags": ["signature", "permissions-required"]}, {"url": "https://vuldb.com/submit/780406", "name": "Submit #780406 | code-projects Simple Gym Management System 1.0 SQL Injection", "tags": ["third-party-advisory"]}, {"url": "https://github.com/maidangdang1/CVE/issues/5", "tags": ["exploit", "issue-tracking"]}, {"url": "https://code-projects.org/", "tags": ["product"]}], "tags": ["x_freeware"]}, "adp": [{"metrics": [{"other": {"type": "ssvc", "content": {"timestamp": "2026-04-01T13:57:46.721784Z", "id": "CVE-2026-5206", "options": [{"Exploitation": "poc"}, {"Automatable": "no"}, {"Technical Impact": "partial"}], "role": "CISA Coordinator", "version": "2.0.3"}}}], "title": "CISA ADP Vulnrichment", "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2026-04-01T13:57:53.811Z"}}]}}

{"dataType": "CVE_RECORD", "containers": {"adp": [{"title": "CISA ADP Vulnrichment", "metrics": [{"other": {"type": "ssvc", "content": {"id": "CVE-2026-5206", "role": "CISA Coordinator", "options": [{"Exploitation": "poc"}, {"Automatable": "no"}, {"Technical Impact": "partial"}], "version": "2.0.3", "timestamp": "2026-04-01T13:57:46.721784Z"}}}], "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2026-04-01T13:57:50.322Z"}}], "cna": {"tags": ["x_freeware"], "title": "code-projects Simple Gym Management System Payment sql injection", "credits": [{"lang": "en", "type": "reporter", "value": "nomath (VulDB User)"}], "metrics": [{"cvssV4_0": {"version": "4.0", "baseScore": 5.3, "baseSeverity": "MEDIUM", "vectorString": "CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:L/VI:L/VA:L/SC:N/SI:N/SA:N/E:P"}}, {"cvssV3_1": {"version": "3.1", "baseScore": 6.3, "baseSeverity": "MEDIUM", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:L/E:P/RL:X/RC:R"}}, {"cvssV3_0": {"version": "3.0", "baseScore": 6.3, "baseSeverity": "MEDIUM", "vectorString": "CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:L/E:P/RL:X/RC:R"}}, {"cvssV2_0": {"version": "2.0", "baseScore": 6.5, "vectorString": "AV:N/AC:L/Au:S/C:P/I:P/A:P/E:POC/RL:ND/RC:UR"}}], "affected": [{"vendor": "code-projects", "modules": ["Payment Handler"], "product": "Simple Gym Management System", "versions": [{"status": "affected", "version": "1.0"}]}], "timeline": [{"lang": "en", "time": "2026-03-31T00:00:00.000Z", "value": "Advisory disclosed"}, {"lang": "en", "time": "2026-03-31T02:00:00.000Z", "value": "VulDB entry created"}, {"lang": "en", "time": "2026-03-31T10:57:40.000Z", "value": "VulDB entry last update"}], "references": [{"url": "https://vuldb.com/vuln/354336", "name": "VDB-354336 | code-projects Simple Gym Management System Payment sql injection", "tags": ["vdb-entry", "technical-description"]}, {"url": "https://vuldb.com/vuln/354336/cti", "name": "VDB-354336 | CTI Indicators (IOB, IOC, TTP, IOA)", "tags": ["signature", "permissions-required"]}, {"url": "https://vuldb.com/submit/780406", "name": "Submit #780406 | code-projects Simple Gym Management System 1.0 SQL Injection", "tags": ["third-party-advisory"]}, {"url": "https://github.com/maidangdang1/CVE/issues/5", "tags": ["exploit", "issue-tracking"]}, {"url": "https://code-projects.org/", "tags": ["product"]}], "descriptions": [{"lang": "en", "value": "A security vulnerability has been detected in code-projects Simple Gym Management System 1.0. This vulnerability affects unknown code of the component Payment Handler. The manipulation of the argument Payment_id/Amount/customer_id/payment_type/customer_name leads to sql injection. Remote exploitation of the attack is possible. The exploit has been disclosed publicly and may be used."}], "problemTypes": [{"descriptions": [{"lang": "en", "type": "CWE", "cweId": "CWE-89", "description": "SQL Injection"}]}, {"descriptions": [{"lang": "en", "type": "CWE", "cweId": "CWE-74", "description": "Injection"}]}], "providerMetadata": {"orgId": "1af790b2-7ee1-4545-860a-a788eba489b5", "shortName": "VulDB", "dateUpdated": "2026-03-31T17:30:13.639Z"}}}, "cveMetadata": {"cveId": "CVE-2026-5206", "state": "PUBLISHED", "dateUpdated": "2026-04-01T13:57:53.811Z", "dateReserved": "2026-03-31T08:52:35.942Z", "assignerOrgId": "1af790b2-7ee1-4545-860a-a788eba489b5", "datePublished": "2026-03-31T17:30:13.639Z", "assignerShortName": "VulDB"}, "dataVersion": "5.2"}

{"cveTags": [], "descriptions": [{"lang": "en", "value": "A security vulnerability has been detected in code-projects Simple Gym Management System 1.0. This vulnerability affects unknown code of the component Payment Handler. The manipulation of the argument Payment_id/Amount/customer_id/payment_type/customer_name leads to sql injection. Remote exploitation of the attack is possible. The exploit has been disclosed publicly and may be used."}], "id": "CVE-2026-5206", "lastModified": "2026-04-29T01:00:01.613", "metrics": {"cvssMetricV2": [{"acInsufInfo": false, "baseSeverity": "MEDIUM", "cvssData": {"accessComplexity": "LOW", "accessVector": "NETWORK", "authentication": "SINGLE", "availabilityImpact": "PARTIAL", "baseScore": 6.5, "confidentialityImpact": "PARTIAL", "integrityImpact": "PARTIAL", "vectorString": "AV:N/AC:L/Au:S/C:P/I:P/A:P", "version": "2.0"}, "exploitabilityScore": 8.0, "impactScore": 6.4, "obtainAllPrivilege": false, "obtainOtherPrivilege": false, "obtainUserPrivilege": false, "source": "cna@vuldb.com", "type": "Secondary", "userInteractionRequired": false}], "cvssMetricV31": [{"cvssData": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "LOW", "baseScore": 6.3, "baseSeverity": "MEDIUM", "confidentialityImpact": "LOW", "integrityImpact": "LOW", "privilegesRequired": "LOW", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:L", "version": "3.1"}, "exploitabilityScore": 2.8, "impactScore": 3.4, "source": "cna@vuldb.com", "type": "Primary"}], "cvssMetricV40": [{"cvssData": {"Automatable": "NOT_DEFINED", "Recovery": "NOT_DEFINED", "Safety": "NOT_DEFINED", "attackComplexity": "LOW", "attackRequirements": "NONE", "attackVector": "NETWORK", "availabilityRequirement": "NOT_DEFINED", "baseScore": 2.1, "baseSeverity": "LOW", "confidentialityRequirement": "NOT_DEFINED", "exploitMaturity": "PROOF_OF_CONCEPT", "integrityRequirement": "NOT_DEFINED", "modifiedAttackComplexity": "NOT_DEFINED", "modifiedAttackRequirements": "NOT_DEFINED", "modifiedAttackVector": "NOT_DEFINED", "modifiedPrivilegesRequired": "NOT_DEFINED", "modifiedSubAvailabilityImpact": "NOT_DEFINED", "modifiedSubConfidentialityImpact": "NOT_DEFINED", "modifiedSubIntegrityImpact": "NOT_DEFINED", "modifiedUserInteraction": "NOT_DEFINED", "modifiedVulnAvailabilityImpact": "NOT_DEFINED", "modifiedVulnConfidentialityImpact": "NOT_DEFINED", "modifiedVulnIntegrityImpact": "NOT_DEFINED", "privilegesRequired": "LOW", "providerUrgency": "NOT_DEFINED", "subAvailabilityImpact": "NONE", "subConfidentialityImpact": "NONE", "subIntegrityImpact": "NONE", "userInteraction": "NONE", "valueDensity": "NOT_DEFINED", "vectorString": "CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:L/VI:L/VA:L/SC:N/SI:N/SA:N/E:P/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X", "version": "4.0", "vulnAvailabilityImpact": "LOW", "vulnConfidentialityImpact": "LOW", "vulnIntegrityImpact": "LOW", "vulnerabilityResponseEffort": "NOT_DEFINED"}, "source": "cna@vuldb.com", "type": "Secondary"}]}, "published": "2026-03-31T18:16:59.520", "references": [{"source": "cna@vuldb.com", "url": "https://code-projects.org/"}, {"source": "cna@vuldb.com", "url": "https://github.com/maidangdang1/CVE/issues/5"}, {"source": "cna@vuldb.com", "url": "https://vuldb.com/submit/780406"}, {"source": "cna@vuldb.com", "url": "https://vuldb.com/vuln/354336"}, {"source": "cna@vuldb.com", "url": "https://vuldb.com/vuln/354336/cti"}], "sourceIdentifier": "cna@vuldb.com", "vulnStatus": "Deferred", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-74"}, {"lang": "en", "value": "CWE-89"}], "source": "cna@vuldb.com", "type": "Primary"}]}

{}

{"affected": [{"configurations": [{"platform": null, "status": "affected", "versions": {"scheme": "generic", "value": "1.0"}}], "enrichment": {"confidence": 100.0, "confidence_source": "matching", "scores": [{"score": 100.0, "source": "matching"}]}, "original": {"product": "Simple Gym Management System", "source": "cna", "vendor": "code-projects"}, "product": "simple_gym_management_system", "vendor": "code-projects"}], "analysis": {"en": {"generated_at": "2026-03-31T19:38:37.391894+00:00", "value": {"mitigation_remediation": ["Check for and install any available updates or patches for the Simple Gym Management System from code-projects.org.", "Implement input validation or, preferably, parameterized queries for all payment-related parameters to eliminate injection opportunities.", "Restrict unauthenticated users from accessing the Payment Handler endpoint and enforce proper authentication and authorization checks.", "Enable logging of SQL errors and monitor traffic for anomalous query patterns that may indicate attempted exploitation.", "Deploy a web application firewall or similar security controls to filter malicious input until a patch is applied."], "summary": {"action": "Patch", "impact": "Data compromise via SQL injection"}, "threat_synthesis": {"affected_systems": "Affected by the 1.0 release of the Simple Gym Management System from code-projects. No other vendors or product versions are listed.", "description_and_impact": "The vulnerability resides in the Payment Handler component of the Simple Gym Management System 1.0. Manipulating the Payment_id, Amount, customer_id, payment_type, or customer_name parameters allows a remote attacker to inject malicious SQL code. This can potentially grant unauthorized access to the database, expose confidential data, or allow further compromise of the application\u2019s integrity. The weakness is identified as a classic SQL injection (CWE\u201174, CWE\u201189).", "risk_and_exploitability": "The CVSS score of 5.3 indicates moderate risk. EPSS data is unavailable, and the issue is not listed in the KEV catalog, suggesting it is not widely exploited in the wild yet. Remote exploitation is possible through crafted input to the Payment Handler endpoint. No formal patch has been released, making the vulnerability exploitable as long as the vulnerable code remains unpatched."}}}}, "created": "2026-03-31T19:53:47.096887+00:00", "updated": "2026-03-31T20:37:44.852674+00:00", "vendors": ["code-projects", "code-projects$PRODUCT$simple_gym_management_system"]}