CVE-2019-25489
CRITICAL WAF: High
CVSS 9.1
Published: 2026-02-27
CWE-89
Homey BNB V4 contains a SQL injection vulnerability that allows unauthenticated attackers to manipulate database queries by injecting SQL code through the hosting_id parameter. Attackers can send GET requests to the rooms/ajax_refresh_subtotal endpoint with malicious hosting_id values to extract sensitive database information or cause denial of service.
WAF Coverage Analysis
SQL Injection
High WAF Coverage
OWASP: A03:2021 Injection
942xxx - SQL Injection
Affected Software
| Vendor | Product | Version |
|---|---|---|
| doditsolutions | airbnb_clone_script | 4 |
References
- www.doditsolutions.com (Product)
- www.exploit-db.com (Exploit)
- www.vulncheck.com (Broken Link)