Description
Netartmedia PHP Real Estate Agency 4.0 contains an SQL injection vulnerability that allows unauthenticated attackers to execute arbitrary SQL queries by injecting malicious code through the features[] parameter. Attackers can send POST requests to index.php with crafted SQL payloads in the features[] parameter to extract sensitive database information or manipulate database queries.
Published: 2026-03-12
Score: 8.8 High
EPSS: < 1% Very Low
KEV: No
Impact: Data Exfiltration
Action: Apply Patch
AI Analysis

Impact

Netartmedia PHP Real Estate Agency 4.0 includes an SQL injection flaw in the features[] parameter within index.php. The unvalidated user input allows an unauthenticated attacker to inject arbitrary SQL code, which can be used to read sensitive database content or modify records. This vulnerability is classified as CWE-89 and can compromise the confidentiality and integrity of the application’s data.

Affected Systems

Affected systems are instances of Netartmedia PHP Real Estate Agency version 4.0. No other affected versions are listed in the data provided.

Risk and Exploitability

The CVSS score of 8.8 indicates a high severity, while the EPSS score of less than 1% suggests a low probability of current exploitation. The vulnerability is not part of the CISA Known Exploited Vulnerabilities catalog. Attackers can exploit the flaw by sending unauthenticated POST requests to index.php with crafted SQL payloads in the features[] parameter, taking advantage of the lack of input sanitization to gain database access.

Generated by OpenCVE AI on March 18, 2026 at 15:12 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Verify whether Netartmedia has released a patch for the PHP Real Estate Agency 4.0 release and upgrade to the patched version if available. If no patch is available, deploy a web application firewall rule or similar input‑validation mechanism to block or sanitize SQL special characters in the features[] parameter. Monitor web logs for repeated attempts to POST the features[] parameter with suspicious or SQL‑like content and block offending IP addresses as needed.

Generated by OpenCVE AI on March 18, 2026 at 15:12 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Fri, 13 Mar 2026 10:00:00 +0000

Type Values Removed Values Added
First Time appeared Netartmedia
Netartmedia php Real Estate Agency
Vendors & Products Netartmedia
Netartmedia php Real Estate Agency

Thu, 12 Mar 2026 17:15:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'yes', 'Exploitation': 'poc', 'Technical Impact': 'partial'}, 'version': '2.0.3'}

Thu, 12 Mar 2026 16:00:00 +0000

Type Values Removed Values Added
Description Netartmedia PHP Real Estate Agency 4.0 contains an SQL injection vulnerability that allows unauthenticated attackers to execute arbitrary SQL queries by injecting malicious code through the features[] parameter. Attackers can send POST requests to index.php with crafted SQL payloads in the features[] parameter to extract sensitive database information or manipulate database queries.
Title Netartmedia PHP Real Estate Agency 4.0 SQL Injection via features parameter
Weaknesses CWE-89
References
Metrics cvssV3_1

{'score': 8.2, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:L/A:N'}

cvssV4_0

{'score': 8.8, 'vector': 'CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:L/VA:N/SC:N/SI:N/SA:N'}

Subscriptions

Netartmedia Php Real Estate Agency
cve-icon MITRE

Status: PUBLISHED

Assigner: VulnCheck

Published:

Updated: 2026-03-12T16:26:31.922Z

Reserved: 2026-03-12T14:25:10.051Z

Link: CVE-2019-25536

cve-icon Vulnrichment

Updated: 2026-03-12T16:26:16.653Z

cve-icon NVD

Status : Awaiting Analysis

Published: 2026-03-12T16:16:07.970

Modified: 2026-03-12T21:07:53.427

Link: CVE-2019-25536

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-03-20T15:49:09Z

Weaknesses