Description
Inout EasyRooms Ultimate Edition v1.0 contains an SQL injection vulnerability that allows unauthenticated attackers to manipulate database queries by injecting SQL code through the numguest parameter. Attackers can send POST requests to the search/searchdetailed endpoint with malicious SQL payloads to bypass authentication, extract sensitive data, or modify database contents.
Published: 2026-03-12
Score: 8.8 High
EPSS: < 1% Very Low
KEV: No
Impact: SQL Injection allowing unauthenticated data access and modification
Action: Apply Patch
AI Analysis

Impact

An SQL injection flaw exists in the Inout EasyRooms Ultimate Edition v1.0 application via the numguest parameter of the searchdetailed POST endpoint. The vulnerability stems from lack of input validation, enabling attackers to embed malicious SQL commands. This flaw permits unauthenticated users to bypass authentication mechanisms, retrieve sensitive database content, and modify or delete data. The weakness is classified as CWE‑89.

Affected Systems

The affected product is Inout EasyRooms Ultimate Edition, version 1.0, as identified by the CPE string cpe:2.3:a:inoutscripts:inout_homestay:1.0:*:*:*:ultimate:*:*:*. No other versions are mentioned in the source data, so the impact is specific to the v1.0 release.

Risk and Exploitability

The CVSS score of 8.8 indicates high severity, while the EPSS score of less than 1% suggests a low probability of exploitation in the near term. The vulnerability is not listed in the CISA KEV catalog. Exploitation requires only that the vulnerable endpoint be reachable; no authentication is needed. Attackers can leverage standard HTTP POST requests to inject SQL, implying a remote web-based attack vector.

Generated by OpenCVE AI on March 19, 2026 at 17:24 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Check the vendor’s official website or support portal for a patch or newer version of Inout EasyRooms Ultimate Edition; apply any available update immediately.
  • If no patch is available, restrict network access to the affected endpoint (search/searchdetailed) so that only trusted internal users can invoke it.
  • Implement strict input validation or parameterized queries on the numguest parameter to block malformed SQL payloads.
  • Deploy a Web Application Firewall rule set that detects and blocks common SQL injection patterns against the affected endpoint.
  • Audit the database for unauthorized changes and consider applying additional database-level security controls such as least‑privilege access for the application user.

Generated by OpenCVE AI on March 19, 2026 at 17:24 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Thu, 19 Mar 2026 16:30:00 +0000

Type Values Removed Values Added
First Time appeared Inoutscripts inout Homestay
CPEs cpe:2.3:a:inoutscripts:inout_homestay:1.0:*:*:*:ultimate:*:*:*
Vendors & Products Inoutscripts inout Homestay

Fri, 13 Mar 2026 10:00:00 +0000

Type Values Removed Values Added
First Time appeared Inoutscripts
Inoutscripts inout Easyrooms Ultimate Edition
Vendors & Products Inoutscripts
Inoutscripts inout Easyrooms Ultimate Edition

Thu, 12 Mar 2026 17:15:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'yes', 'Exploitation': 'poc', 'Technical Impact': 'partial'}, 'version': '2.0.3'}

Thu, 12 Mar 2026 16:00:00 +0000

Type Values Removed Values Added
Description Inout EasyRooms Ultimate Edition v1.0 contains an SQL injection vulnerability that allows unauthenticated attackers to manipulate database queries by injecting SQL code through the numguest parameter. Attackers can send POST requests to the search/searchdetailed endpoint with malicious SQL payloads to bypass authentication, extract sensitive data, or modify database contents.
Title Inout EasyRooms Ultimate Edition v1.0 SQL Injection via searchdetailed
Weaknesses CWE-89
References
Metrics cvssV3_1

{'score': 8.2, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:L/A:N'}

cvssV4_0

{'score': 8.8, 'vector': 'CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:L/VA:N/SC:N/SI:N/SA:N'}

Subscriptions

Inoutscripts Inout Easyrooms Ultimate Edition Inout Homestay
cve-icon MITRE

Status: PUBLISHED

Assigner: VulnCheck

Published:

Updated: 2026-03-12T16:48:20.145Z

Reserved: 2026-03-12T13:57:18.006Z

Link: CVE-2019-25527

cve-icon Vulnrichment

Updated: 2026-03-12T16:48:16.405Z

cve-icon NVD

Status : Analyzed

Published: 2026-03-12T16:16:06.257

Modified: 2026-03-19T16:24:30.880

Link: CVE-2019-25527

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-03-20T15:49:17Z

Weaknesses