CVE-2019-25493
Published: 27 February 2026
Summary
CVE-2019-25493 is a high-severity SQL Injection (CWE-89) vulnerability in Doditsolutions Airbnb Clone Script. Its CVSS base score is 8.8 (High).
Operationally, exploitation aligns with the MITRE ATT&CK technique Exploit Public-Facing Application (T1190); ranked at the 23.1th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog; a public proof-of-concept is referenced.
The strongest mitigations our analysis identified are NIST 800-53 SI-10 (Information Input Validation) and SI-2 (Flaw Remediation).
Deeper analysis
CVE-2019-25493 is an SQL injection vulnerability (CWE-89) in Homey BNB V4, an Airbnb clone script. The flaw resides in the admin/getrecord.php endpoint, where the 'val' parameter fails to properly sanitize user input, enabling attackers to inject arbitrary SQL code and manipulate database queries.
Unauthenticated attackers with network access can exploit this vulnerability with low complexity and no user interaction required, as indicated by its CVSS v3.1 base score of 8.2 (AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:L/A:N). By sending crafted GET requests to admin/getrecord.php with malicious values in the 'val' parameter, they can extract sensitive database information, achieving high confidentiality impact and limited integrity disruption.
Advisories and proof-of-concept details are documented in references including the vendor site at https://www.doditsolutions.com/airbnb-clone-script/, an Exploit-DB entry at https://www.exploit-db.com/exploits/46616, and a Vulncheck advisory at https://www.vulncheck.com/advisories/homey-bnb-sql-injection-via-getrecordphp. These resources outline the issue but do not specify patches or mitigations in the available information.
A public proof-of-concept exploit on Exploit-DB highlights the vulnerability's exploitability in real-world scenarios.
OWASP Top 10 for Web (2025)
EU & UK References
- 🇪🇺 ENISA EUVD: EUVD-2019-19719
Vulnerability details
Homey BNB V4 contains an SQL injection vulnerability that allows unauthenticated attackers to manipulate database queries by injecting SQL code through the 'val' parameter. Attackers can send GET requests to the admin/getrecord.php endpoint with malicious 'val' values to extract sensitive…
more
database information.
- CWE(s)
Related Threats
MITRE ATT&CK Enterprise TechniquesAI
Why these techniques?
Direct unauthenticated SQLi in public-facing admin endpoint enables exploitation of web application for data access.
CVEs Like This One
Affected Assets
Mitigating Controls
Mitigating Controls (NIST 800-53 r5) AI
Directly mandates validation of the 'val' parameter in admin/getrecord.php to block SQL injection by ensuring inputs conform to expected formats and content.
Restricts the 'val' parameter to authorized values or patterns, preventing malicious SQL code injection through input whitelisting or blacklisting.
Requires identification, reporting, and correction of the specific SQL injection flaw in admin/getrecord.php to eliminate the vulnerability.