Description
A vulnerability was detected in Montodel House-Rental-Management up to 90010017b81265eb1ef3810268909f7719a33863. Affected by this issue is some unknown functionality of the file /login.php. The manipulation of the argument Username results in sql injection. The attack can be executed remotely. The exploit is now public and may be used. This product implements a rolling release for ongoing delivery, which means version information for affected or updated releases is unavailable. The vendor was contacted early about this disclosure but did not respond in any way.
Published: 2026-06-21
Score: 6.9 Medium
EPSS: < 1% Very Low
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

Montodel House‑Rental‑Management contains a flaw in login.php that allows the Username argument to be manipulated for SQL injection. Attackers can send crafted HTTP requests to inject arbitrary SQL, potentially reading, modifying, or deleting data in the application database. The vulnerability is exploitable remotely and the exploit code has been made public, meaning an attacker with network access can attempt it without additional privileges.

Affected Systems

Any instance of Montodel House‑Rental‑Management running a code base prior to the commit 90010017b81265eb1ef3810268909f7719a33863. Because the product follows a rolling release model, specific version numbers for non‑affected releases are not available. Users of any older snapshot are potentially vulnerable until a patched release is delivered by the vendor.

Risk and Exploitability

Based on the description, it is inferred that the exploit can be launched remotely from any IP that can access the /login.php endpoint. The CVSS score of 6.9 indicates moderate severity, and because the EPSS score is unavailable, a precise exploitation likelihood cannot be quantified. The vulnerability is not in the CISA KEV catalog, but the public availability of exploit code increases the risk of exploitation. Attackers could manipulate the Username field to inject arbitrary SQL, potentially reading, modifying, or deleting data in the application database and compromising credential confidentiality and integrity.

Generated by OpenCVE AI on June 21, 2026 at 10:22 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Immediately apply any vendor‑supplied patch or updated release once available.
  • If a patch is not yet available, implement a web application firewall rule that detects and blocks SQL‑injection patterns on the Username parameter of /login.php.
  • Restrict the database user permissions used by the application to the minimum necessary rights, eliminating write or administrative privileges that could exacerbate damage from a successful injection.

Generated by OpenCVE AI on June 21, 2026 at 10:22 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Tue, 23 Jun 2026 03:30:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'yes', 'Exploitation': 'poc', 'Technical Impact': 'partial'}, 'version': '2.0.3'}


Sun, 21 Jun 2026 07:45:00 +0000

Type Values Removed Values Added
Description A vulnerability was detected in Montodel House-Rental-Management up to 90010017b81265eb1ef3810268909f7719a33863. Affected by this issue is some unknown functionality of the file /login.php. The manipulation of the argument Username results in sql injection. The attack can be executed remotely. The exploit is now public and may be used. This product implements a rolling release for ongoing delivery, which means version information for affected or updated releases is unavailable. The vendor was contacted early about this disclosure but did not respond in any way.
Title Montodel House-Rental-Management login.php sql injection
First Time appeared Montodel
Montodel house-rental-management
Weaknesses CWE-74
CWE-89
CPEs cpe:2.3:a:montodel:house-rental-management:*:*:*:*:*:*:*:*
Vendors & Products Montodel
Montodel house-rental-management
References
Metrics cvssV2_0

{'score': 7.5, 'vector': 'AV:N/AC:L/Au:N/C:P/I:P/A:P/E:POC/RL:ND/RC:UR'}

cvssV3_0

{'score': 7.3, 'vector': 'CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:L/E:P/RL:X/RC:R'}

cvssV3_1

{'score': 7.3, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:L/E:P/RL:X/RC:R'}

cvssV4_0

{'score': 6.9, 'vector': 'CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:L/VI:L/VA:L/SC:N/SI:N/SA:N/E:P'}


Subscriptions

Montodel House-rental-management
cve-icon MITRE

Status: PUBLISHED

Assigner: VulDB

Published:

Updated: 2026-06-23T02:40:40.801Z

Reserved: 2026-06-20T09:32:04.530Z

Link: CVE-2026-12775

cve-icon Vulnrichment

Updated: 2026-06-23T02:40:25.751Z

cve-icon NVD

No data.

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-06-21T11:45:04Z

Weaknesses
  • CWE-74

    Improper Neutralization of Special Elements in Output Used by a Downstream Component ('Injection')

  • CWE-89

    Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection')