Cyber Resilience

CVE-2019-25489

HighPublic PoC

Published: 27 February 2026

Published
27 February 2026
Modified
06 March 2026
KEV Added
Patch
CVSS Score v4 8.8 CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:L/VA:N/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
EPSS Score 0.0039 30.8th percentile
Risk Priority 55 floored blend · peak EPSS

Summary

CVE-2019-25489 is a high-severity SQL Injection (CWE-89) vulnerability in Doditsolutions Airbnb Clone Script. Its CVSS base score is 8.8 (High).

Operationally, exploitation aligns with the MITRE ATT&CK technique Exploit Public-Facing Application (T1190); ranked at the 30.8th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog; a public proof-of-concept is referenced.

The strongest mitigations our analysis identified are NIST 800-53 SI-10 (Information Input Validation) and SC-7 (Boundary Protection).

Deeper analysis

CVE-2019-25489 is a SQL injection vulnerability (CWE-89) present in Homey BNB V4, an Airbnb clone script. The flaw resides in the rooms/ajax_refresh_subtotal endpoint, where the hosting_id parameter is vulnerable to manipulation. Attackers can inject arbitrary SQL code through this parameter in GET requests, enabling unauthorized database query alterations.

Unauthenticated remote attackers can exploit the vulnerability with low complexity, requiring no privileges or user interaction. By crafting malicious hosting_id values in GET requests to the affected endpoint, they can extract sensitive database information or cause denial of service. The issue carries a CVSS v3.1 base score of 8.2 (AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:L/A:N), indicating high confidentiality impact with low integrity impact and no availability impact per the vector.

Advisories and resources include a proof-of-concept exploit on Exploit-DB (46616), a VulnCheck advisory on the Homey BNB SQL injection via ajax_refresh_subtotal, and the vendor's Airbnb clone script page at doditsolutions.com/airbnb-clone-script. No specific patch or mitigation details are outlined in the provided references.

OWASP Top 10 for Web (2025)

EU & UK References

Vulnerability details

Homey BNB V4 contains a SQL injection vulnerability that allows unauthenticated attackers to manipulate database queries by injecting SQL code through the hosting_id parameter. Attackers can send GET requests to the rooms/ajax_refresh_subtotal endpoint with malicious hosting_id values to extract sensitive…

more

database information or cause denial of service.

CWE(s)

Related Threats

MITRE ATT&CK Enterprise TechniquesAI

T1190 Exploit Public-Facing Application Initial Access
Adversaries may attempt to exploit a weakness in an Internet-facing host or system to initially access a network.
T1213.006 Databases Collection
Adversaries may leverage databases to mine valuable information.
Why these techniques?

CVE-2019-25489 is an unauthenticated SQL injection in a public-facing web endpoint (T1190: Exploit Public-Facing Application), enabling arbitrary database queries to extract sensitive information (T1213.006: Data from Information Repositories - Databases).

Confidence: HIGH · MITRE ATT&CK Enterprise v19.0

CVEs Like This One

CVE-2019-25491Same product: Doditsolutions Airbnb Clone Script
CVE-2019-25492Same product: Doditsolutions Airbnb Clone Script
CVE-2019-25494Same product: Doditsolutions Airbnb Clone Script
CVE-2019-25493Same product: Doditsolutions Airbnb Clone Script
CVE-2019-25490Same product: Doditsolutions Airbnb Clone Script
CVE-2018-25199Shared CWE-89
CVE-2026-27179Shared CWE-89
CVE-2025-0308Shared CWE-89
CVE-2019-25581Shared CWE-89
CVE-2026-27885Shared CWE-89

Affected Assets

doditsolutions
airbnb clone script
4

Mitigating Controls

Mitigating Controls (NIST 800-53 r5) AI

prevent

Directly requires validation of the hosting_id parameter in GET requests to the rooms/ajax_refresh_subtotal endpoint to prevent SQL injection payloads from manipulating database queries.

prevent

Boundary protection at web interfaces enables deployment of web application firewalls to inspect and block malicious SQL injection attempts in unauthenticated requests.

detect

System monitoring detects anomalous database access patterns or unauthorized query executions indicative of successful or ongoing SQL injection exploitation.

References