Description
Inout EasyRooms Ultimate Edition v1.0 contains an SQL injection vulnerability that allows unauthenticated attackers to manipulate database queries by injecting SQL code through the property1 parameter. Attackers can send POST requests to the search/searchdetailed endpoint with malicious SQL payloads to extract sensitive data or modify database contents.
Published: 2026-03-12
Score: 8.8 High
EPSS: < 1% Very Low
KEV: No
Impact: SQL Injection leading to data exposure or modification
Action: Immediate Patch
AI Analysis

Impact

Inout EasyRooms Ultimate Edition v1.0 contains an SQL injection vulnerability. The flaw exists in the property1 parameter of the search/searchdetailed endpoint, which is not properly sanitized. An unauthenticated attacker can inject arbitrary SQL code via POST requests, allowing reading of sensitive data or modification of database contents. This vulnerability is classified as CWE-89.

Affected Systems

The affected vendor is Inoutscripts, product Inout EasyRooms Ultimate Edition, version 1.0, as indicated by the known CNA product listing and CPE string. No other versions were specified in the provided data.

Risk and Exploitability

The CVSS base score of 8.8 indicates high severity. The EPSS score is below 1%, suggesting a low likelihood of exploitation, and the vulnerability is not listed in CISA KEV. Attackers can exploit this remotely by sending unauthenticated POST requests; the attack vector is inferred to be network-based. The flaw allows compromise of confidentiality and integrity of the application data.

Generated by OpenCVE AI on March 19, 2026 at 17:52 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Apply the vendor’s patch or upgrade to a version that no longer contains the SQL injection flaw.
  • If a patch is not yet available, restrict access to the /search/searchdetailed endpoint to trusted networks or block it entirely until remediation.
  • Implement input validation to sanitize the property1 parameter.
  • Monitor database activity for suspicious queries and review logs for potential exploitation attempts.

Generated by OpenCVE AI on March 19, 2026 at 17:52 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Thu, 19 Mar 2026 16:30:00 +0000

Type Values Removed Values Added
First Time appeared Inoutscripts inout Homestay
CPEs cpe:2.3:a:inoutscripts:inout_homestay:1.0:*:*:*:ultimate:*:*:*
Vendors & Products Inoutscripts inout Homestay

Fri, 13 Mar 2026 10:00:00 +0000

Type Values Removed Values Added
First Time appeared Inoutscripts
Inoutscripts inout Easyrooms Ultimate Edition
Vendors & Products Inoutscripts
Inoutscripts inout Easyrooms Ultimate Edition

Thu, 12 Mar 2026 18:15:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'yes', 'Exploitation': 'poc', 'Technical Impact': 'partial'}, 'version': '2.0.3'}

Thu, 12 Mar 2026 16:00:00 +0000

Type Values Removed Values Added
Description Inout EasyRooms Ultimate Edition v1.0 contains an SQL injection vulnerability that allows unauthenticated attackers to manipulate database queries by injecting SQL code through the property1 parameter. Attackers can send POST requests to the search/searchdetailed endpoint with malicious SQL payloads to extract sensitive data or modify database contents.
Title Inout EasyRooms Ultimate Edition v1.0 SQL Injection via search
Weaknesses CWE-89
References
Metrics cvssV3_1

{'score': 8.2, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:L/A:N'}

cvssV4_0

{'score': 8.8, 'vector': 'CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:L/VA:N/SC:N/SI:N/SA:N'}

Subscriptions

Inoutscripts Inout Easyrooms Ultimate Edition Inout Homestay
cve-icon MITRE

Status: PUBLISHED

Assigner: VulnCheck

Published:

Updated: 2026-03-12T16:49:49.299Z

Reserved: 2026-03-12T13:57:28.951Z

Link: CVE-2019-25528

cve-icon Vulnrichment

Updated: 2026-03-12T16:49:44.724Z

cve-icon NVD

Status : Analyzed

Published: 2026-03-12T16:16:06.440

Modified: 2026-03-19T16:21:38.197

Link: CVE-2019-25528

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-03-20T15:49:16Z

Weaknesses