Description
Inout EasyRooms Ultimate Edition v1.0 contains an SQL injection vulnerability that allows unauthenticated attackers to manipulate database queries by injecting SQL code through the guests parameter. Attackers can send POST requests to the search/rentals endpoint with malicious SQL payloads to bypass authentication, extract sensitive data, or modify database contents.
Published: 2026-03-12
Score: 8.8 High
EPSS: < 1% Very Low
KEV: No
Impact: Database Compromise
Action: Immediate Patch
AI Analysis

Impact

Inout EasyRooms Ultimate Edition v1.0 suffers from an unauthenticated SQL injection vulnerability that can be exploited by sending malicious SQL payloads via the guests parameter to the search/rentals endpoint. The flaw allows attackers to manipulate database queries, bypass authentication, extract sensitive data from the database, or modify data, leading to a significant confidentiality and integrity breach as identified by CWE-89.

Affected Systems

Vendors: Inoutscripts. Product: Inout EasyRooms Ultimate Edition (version 1.0). The affected CPE identifier is cpe:2.3:a:inoutscripts:inout_homestay:1.0:*:*:*:ultimate:*:*:* which corresponds to the same product version.

Risk and Exploitability

The vulnerability has a CVSS score of 8.8, indicating high severity. However, the EPSS score is reported as less than 1%, suggesting a low probability of exploitation at present, and it is not listed in the CISA KEV catalog. The attack vector is likely network based, requiring unauthenticated HTTP POST requests to the vulnerable endpoint. Despite the low current exploitation probability, the potential impact on data confidentiality and integrity warrants immediate attention.

Generated by OpenCVE AI on March 19, 2026 at 17:25 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Apply vendor patch or upgrade to a fixed version if one is available.
  • If a patch is not available, restrict access to the search/rentals endpoint using firewall rules or IP filtering.
  • Implement input validation and parameterized queries to prevent SQL injection.
  • Monitor web application logs for suspicious POST requests and anomalous database activity.

Generated by OpenCVE AI on March 19, 2026 at 17:25 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Thu, 19 Mar 2026 16:30:00 +0000

Type Values Removed Values Added
First Time appeared Inoutscripts inout Homestay
CPEs cpe:2.3:a:inoutscripts:inout_homestay:1.0:*:*:*:ultimate:*:*:*
Vendors & Products Inoutscripts inout Homestay

Fri, 13 Mar 2026 10:00:00 +0000

Type Values Removed Values Added
First Time appeared Inoutscripts
Inoutscripts inout Easyrooms Ultimate Edition
Vendors & Products Inoutscripts
Inoutscripts inout Easyrooms Ultimate Edition

Thu, 12 Mar 2026 19:15:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'yes', 'Exploitation': 'poc', 'Technical Impact': 'partial'}, 'version': '2.0.3'}

Thu, 12 Mar 2026 16:00:00 +0000

Type Values Removed Values Added
Description Inout EasyRooms Ultimate Edition v1.0 contains an SQL injection vulnerability that allows unauthenticated attackers to manipulate database queries by injecting SQL code through the guests parameter. Attackers can send POST requests to the search/rentals endpoint with malicious SQL payloads to bypass authentication, extract sensitive data, or modify database contents.
Title Inout EasyRooms Ultimate Edition v1.0 SQL Injection via search
Weaknesses CWE-89
References
Metrics cvssV3_1

{'score': 8.2, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:L/A:N'}

cvssV4_0

{'score': 8.8, 'vector': 'CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:L/VA:N/SC:N/SI:N/SA:N'}

Subscriptions

Inoutscripts Inout Easyrooms Ultimate Edition Inout Homestay
cve-icon MITRE

Status: PUBLISHED

Assigner: VulnCheck

Published:

Updated: 2026-03-12T18:36:37.575Z

Reserved: 2026-03-12T13:56:37.479Z

Link: CVE-2019-25525

cve-icon Vulnrichment

Updated: 2026-03-12T18:36:29.361Z

cve-icon NVD

Status : Analyzed

Published: 2026-03-12T16:16:05.880

Modified: 2026-03-19T16:24:48.513

Link: CVE-2019-25525

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-03-20T15:49:19Z

Weaknesses