CVE-2019-25489

🗓️ 27 Feb 2026 17:23:31Reported by VulnCheckType

cve🔗 web.nvd.nist.gov📰️ 1 Media mentions👁 9 Views🌐 WEB

SQL injection in Homey BNB V4 via hosting_id on rooms/ajax_refresh_subtotal enables data access.

Reporter	Title	Published	Views	Family All 10
ATTACKERKB	CVE-2019-25489	27 Feb 202617:23	–	attackerkb
Circl	CVE-2019-25489	27 Feb 202620:58	–	circl
CNNVD	Doditsolutions Homey BNB SQL注入漏洞	27 Feb 202600:00	–	cnnvd
Cvelist	CVE-2019-25489 Homey BNB V4 SQL Injection via ajax_refresh_subtotal	27 Feb 202617:23	–	cvelist
EUVD	EUVD-2019-19715	27 Feb 202618:31	–	euvd
NVD	CVE-2019-25489	27 Feb 202618:16	–	nvd
OSV	CVE-2019-25489	27 Feb 202618:16	–	osv
Positive Technologies	PT-2026-22357	27 Feb 202600:00	–	ptsecurity
RedhatCVE	CVE-2019-25489	28 Feb 202619:45	–	redhatcve
Vulnrichment	CVE-2019-25489 Homey BNB V4 SQL Injection via ajax_refresh_subtotal	27 Feb 202617:23	–	vulnrichment

NVD

Vulners

Node

doditsolutions airbnb_clone_scriptMatch4

[
  {
    "vendor": "Doditsolutions",
    "product": "Homey BNB (Airbnb Clone Script)",
    "versions": [
      {
        "version": "V4",
        "status": "affected"
      }
    ]
  }
]

Source	Link
exploit-db	www.exploit-db.com/exploits/46616
vulncheck	www.vulncheck.com/advisories/homey-bnb-sql-injection-via-ajaxrefreshsubtotal
doditsolutions	www.doditsolutions.com/airbnb-clone-script/

Parameter	Position	Path	Description	CWE
hosting_id	query param	rooms/ajax_refresh_subtotal	SQL injection vulnerability via hosting_id in GET parameter to rooms/ajax_refresh_subtotal	CWE-89

17 Jun 2026 02:32Current

6.1Medium risk

Vulners AI Score6.1

CVSS 3.18.2 - 9.1

CVSS 48.8

EPSS0.00391

SSVC

CWE-89

sql injection homey bnb v4 hosting id rooms ajax subtotal