CVE-2019-25489

HighPublic PoC

Published: 27 February 2026

Published

27 February 2026

Modified

06 March 2026

KEV Added

—

Patch

—

CVSS Score 8.2 CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:L/A:N

EPSS Score 0.0015 35.0th percentile

Risk Priority 16 60% EPSS · 20% KEV · 20% CVSS

Description

Homey BNB V4 contains a SQL injection vulnerability that allows unauthenticated attackers to manipulate database queries by injecting SQL code through the hosting_id parameter. Attackers can send GET requests to the rooms/ajax_refresh_subtotal endpoint with malicious hosting_id values to extract sensitive…

database information or cause denial of service.

Mitigating Controls (NIST 800-53 r5)AI

SI-10 Information Input Validation good match

prevent

Directly requires validation of the hosting_id parameter in GET requests to the rooms/ajax_refresh_subtotal endpoint to prevent SQL injection payloads from manipulating database queries.

SC-7 Boundary Protection partial match

prevent

Boundary protection at web interfaces enables deployment of web application firewalls to inspect and block malicious SQL injection attempts in unauthenticated requests.

SI-4 System Monitoring partial match

detect

System monitoring detects anomalous database access patterns or unauthorized query executions indicative of successful or ongoing SQL injection exploitation.

Security SummaryAI

CVE-2019-25489 is a SQL injection vulnerability (CWE-89) present in Homey BNB V4, an Airbnb clone script. The flaw resides in the rooms/ajax_refresh_subtotal endpoint, where the hosting_id parameter is vulnerable to manipulation. Attackers can inject arbitrary SQL code through this parameter in GET requests, enabling unauthorized database query alterations.

Unauthenticated remote attackers can exploit the vulnerability with low complexity, requiring no privileges or user interaction. By crafting malicious hosting_id values in GET requests to the affected endpoint, they can extract sensitive database information or cause denial of service. The issue carries a CVSS v3.1 base score of 8.2 (AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:L/A:N), indicating high confidentiality impact with low integrity impact and no availability impact per the vector.

Advisories and resources include a proof-of-concept exploit on Exploit-DB (46616), a VulnCheck advisory on the Homey BNB SQL injection via ajax_refresh_subtotal, and the vendor's Airbnb clone script page at doditsolutions.com/airbnb-clone-script. No specific patch or mitigation details are outlined in the provided references.

Details

CWE(s): CWE-89

Affected Products

doditsolutions

airbnb clone script

MITRE ATT&CK Enterprise TechniquesAI

T1190 Exploit Public-Facing Application Initial Access

Adversaries may attempt to exploit a weakness in an Internet-facing host or system to initially access a network.

attack.mitre.org →

T1213.006 Databases Collection

Adversaries may leverage databases to mine valuable information.

attack.mitre.org →

Why these techniques?

CVE-2019-25489 is an unauthenticated SQL injection in a public-facing web endpoint (T1190: Exploit Public-Facing Application), enabling arbitrary database queries to extract sensitive information (T1213.006: Data from Information Repositories - Databases).

Confidence: HIGH · MITRE ATT&CK Enterprise v19.0

References

https://www.doditsolutions.com/airbnb-clone-script/
Product · disclosure@vulncheck.com
https://www.exploit-db.com/exploits/46616
Exploit · disclosure@vulncheck.com
https://www.vulncheck.com/advisories/homey-bnb-sql-injection-via-ajaxrefreshsubtotal
Broken Link · disclosure@vulncheck.com