CVE-2025-41081 is a reflected Cross-Site Scripting (XSS) vulnerability found in all versions of the IsMyGym product developed by Zuinq Studio. This vulnerability arises because the application improperly handles user-supplied input in URLs, specifically when a malicious URL path containing JavaScript code is crafted in the format '/<PATH>.php/<XSS>'. When a victim clicks such a URL, the injected script executes in their browser context. This allows attackers to perform actions such as stealing session cookies, capturing sensitive user data, or executing unauthorized commands on behalf of the user. The vulnerability does not require any authentication or privileges and can be exploited remotely over the network, but it does require user interaction (clicking the malicious link). The CVSS 4.0 vector indicates network attack vector (AV:N), low attack complexity (AC:L), no privileges required (PR:N), user interaction required (UI:A), and no impact on confidentiality, integrity, or availability (VC:N, VI:N, VA:N), but with low scope impact (SC:L) and low severity impact (SI:L). No patches or known exploits are currently available, but the vulnerability poses a risk especially in environments where users access IsMyGym via web browsers. The reflected XSS can be leveraged in phishing campaigns or targeted attacks to compromise user sessions or perform unauthorized actions.

For European organizations, the impact of this vulnerability primarily concerns the confidentiality and integrity of user sessions and data within the IsMyGym platform. Attackers exploiting this flaw can hijack user sessions, leading to unauthorized access to personal or organizational fitness data, potentially violating privacy regulations such as GDPR. The vulnerability could also be used to conduct phishing or social engineering attacks, undermining user trust and causing reputational damage. While the vulnerability does not directly affect system availability, the indirect consequences of compromised accounts or data leakage could disrupt business operations. Organizations with web portals or client-facing interfaces using IsMyGym are at higher risk. The medium severity score reflects that exploitation requires user interaction and does not directly compromise system integrity or availability but still poses a meaningful threat to user data confidentiality and trust.

To mitigate CVE-2025-41081, organizations should implement strict input validation and output encoding on all user-supplied data, especially URL parameters, to prevent script injection. Employ Content Security Policy (CSP) headers to restrict the execution of unauthorized scripts in browsers. Educate users about the risks of clicking suspicious links and implement email filtering to reduce phishing attempts. Monitor web application logs for unusual URL patterns indicative of exploitation attempts. If possible, isolate or sandbox the IsMyGym application to limit the impact of any successful attacks. Engage with Zuinq Studio to obtain patches or updates addressing this vulnerability and apply them promptly once available. Additionally, consider deploying Web Application Firewalls (WAFs) with rules designed to detect and block reflected XSS payloads targeting IsMyGym endpoints. Regular security assessments and penetration testing should be conducted to verify the effectiveness of these controls.