How to fix CVE-2019-25492?

Within 24 hours: Inventory all Homey BNB V4 instances and assess network exposure; isolate or disable internet-facing deployments if possible. Within 7 days: Implement WAF rules to block SQL injection payloads in the 'pt' parameter; enable database query logging and audit for signs of exploitation. Within 30 days: Evaluate migration to patched/alternative solutions; conduct forensic analysis of database logs for unauthorized access or data exfiltration since deployment.

Is PHP affected by CVE-2019-25492?

Homey BNB V4 contains a critical SQL injection vulnerability (CVE-2019-25492) that allows unauthenticated attackers to compromise database integrity and access sensitive data without authentication.

CVE-2019-25492

HIGH

2026-02-27 [email protected]

8.2

CVSS 3.1

CVSS Vector

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:L/A:N

Attack Vector

Network

Attack Complexity

Low

Privileges Required

None

User Interaction

None

Scope

Unchanged

Confidentiality

High

Integrity

Low

Availability

None

Lifecycle Timeline

Analysis Generated

Mar 12, 2026 - 21:55 vuln.today

PoC Detected

Mar 06, 2026 - 21:00 vuln.today

Public exploit code

CVE Published

Feb 27, 2026 - 18:16 nvd

HIGH 8.2

Description

Homey BNB V4 contains an SQL injection vulnerability that allows unauthenticated attackers to manipulate database queries by injecting SQL code through the 'pt' parameter. Attackers can send GET requests to the admin/getcmsdata.php endpoint with malicious 'pt' values to extract sensitive database information.

Analysis

Homey BNB V4 contains an SQL injection vulnerability that allows unauthenticated attackers to manipulate database queries by injecting SQL code through the 'pt' parameter. [CVSS 8.2 HIGH]

Technical Context

Classified as CWE-89 (SQL Injection). Affects Airbnb Clone Script. Homey BNB V4 contains an SQL injection vulnerability that allows unauthenticated attackers to manipulate database queries by injecting SQL code through the 'pt' parameter. Attackers can send GET requests to the admin/getcmsdata.php endpoint with malicious 'pt' values to extract sensitive database information.

Affected Products

Vendor: Doditsolutions. Product: Airbnb Clone Script. Versions: up to 4.

Remediation

Monitor vendor advisories for a patch. Use parameterized queries. Implement input validation. Restrict network access to the affected service where possible.

Priority Score

Low Medium High Critical

KEV: 0

EPSS: +0.1

CVSS: +41

POC: +20

CVE-2019-25492 vulnerability details – vuln.today

Back

CVE-2019-25492

CVSS Vector

Lifecycle Timeline

Tags

Description

Analysis

Technical Context

Affected Products

Remediation

Priority Score

Share

CVE-2019-25492

CVSS Vector

Lifecycle Timeline

Tags

Description

Analysis

Technical Context

Affected Products

Remediation

Priority Score

Share

External POC / Exploit Code