Description
Inout RealEstate contains an SQL injection vulnerability that allows unauthenticated attackers to manipulate database queries by injecting SQL code through the city parameter. Attackers can send POST requests to the agents/agentlistdetails endpoint with malicious SQL payloads in the city parameter to extract sensitive database information.
Published: 2026-03-12
Score: 8.8 High
EPSS: < 1% Very Low
KEV: No
Impact: unauthorized data exfiltration via SQL injection
Action: Apply Patch
AI Analysis

Impact

An unauthenticated attacker can send crafted POST requests to the agents/agentlistdetails endpoint and inject SQL code through the city parameter. This allows the attacker to modify database queries and retrieve sensitive database information, such as user data or configuration values. The vulnerability is a classic SQL injection (CWE-89) and can compromise data confidentiality and integrity.

Affected Systems

The affected product is Inout RealEstate from the vendor Inoutscripts. No specific version information is provided.

Risk and Exploitability

The CVSS score is 8.8 indicating a high severity. The EPSS score is below 1%, suggesting low current exploitation probability, and the vulnerability is not listed in the CISA KEV catalog. The likely attack vector is an unauthenticated HTTP POST request to the /agents/agentlistdetails endpoint with a malicious city parameter; this inference is based on the description of the attack surface.

Generated by OpenCVE AI on March 18, 2026 at 14:42 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Check for vendor patch or update and apply if available. If no patch exists, consider blocking or rate‑limiting POST requests to the agents/agentlistdetails endpoint or placing the application behind a web application firewall that blocks SQL injection patterns.

Generated by OpenCVE AI on March 18, 2026 at 14:42 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Sat, 14 Mar 2026 04:15:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'yes', 'Exploitation': 'poc', 'Technical Impact': 'partial'}, 'version': '2.0.3'}

Fri, 13 Mar 2026 10:00:00 +0000

Type Values Removed Values Added
First Time appeared Inoutscripts
Inoutscripts inout Realestate
Vendors & Products Inoutscripts
Inoutscripts inout Realestate

Thu, 12 Mar 2026 16:00:00 +0000

Type Values Removed Values Added
Description Inout RealEstate contains an SQL injection vulnerability that allows unauthenticated attackers to manipulate database queries by injecting SQL code through the city parameter. Attackers can send POST requests to the agents/agentlistdetails endpoint with malicious SQL payloads in the city parameter to extract sensitive database information.
Title Inout RealEstate Lastest SQL Injection via agentlistdetails
Weaknesses CWE-89
References
Metrics cvssV3_1

{'score': 8.2, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:L/A:N'}

cvssV4_0

{'score': 8.8, 'vector': 'CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:L/VA:N/SC:N/SI:N/SA:N'}

Subscriptions

Inoutscripts Inout Realestate
cve-icon MITRE

Status: PUBLISHED

Assigner: VulnCheck

Published:

Updated: 2026-03-14T03:39:32.146Z

Reserved: 2026-02-23T12:14:34.061Z

Link: CVE-2019-25479

cve-icon Vulnrichment

Updated: 2026-03-14T03:39:26.477Z

cve-icon NVD

Status : Awaiting Analysis

Published: 2026-03-12T16:16:02.050

Modified: 2026-03-12T21:07:53.427

Link: CVE-2019-25479

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-03-20T15:49:36Z

Weaknesses