Description
A flaw has been found in Montodel House-Rental-Management up to 90010017b81265eb1ef3810268909f7719a33863. This affects an unknown part of the file /index.php?page=houses. This manipulation of the argument ID causes sql injection. The attack is possible to be carried out remotely. The exploit has been published and may be used. This product adopts a rolling release strategy to maintain continuous delivery. Therefore, version details for affected or updated releases cannot be specified. The vendor was contacted early about this disclosure but did not respond in any way.
Published: 2026-06-21
Score: 5.3 Medium
EPSS: n/a
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

A flaw in the /index.php?page=houses page of Montodel House‑Rental‑Management allows attackers to manipulate the ID argument so that arbitrary SQL commands are executed. This is an instance of unchecked input (CWE-74) combined with unparameterized queries (CWE-89). The result is that an attacker can read, modify, or delete records stored in the application’s database, jeopardizing the confidentiality and integrity of tenant and property data.

Affected Systems

Montodel’s House‑Rental‑Management product, up to the code revision 90010017b81265eb1ef3810268909f7719a33863, is affected. The product follows a rolling release model, so later releases may contain a fix, but specific version information is currently unavailable and the vendor has not responded to disclosure.

Risk and Exploitability

The CVSS score is 5.3, indicating moderate severity, and the Exploit Prediction Scoring System (EPSS) score is not available; the issue is not listed in the CISA KEV catalog. Attackers can exploit the vulnerability remotely by crafting a malicious ID value sent to the index page. The published exploit demonstrates that any attacker with network access to the web server can insert SQL fragments, potentially retrieving or altering database contents. Without an official patch, the risk remains present for all deployments awaiting an updated release.

Generated by OpenCVE AI on June 21, 2026 at 09:22 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Validate and sanitize every user‑supplied ID before it is used in a database query.
  • Deploy a web application firewall or input filtering rule that blocks SQL‑style patterns in the ID parameter.
  • Monitor application logs for anomalous query patterns and enforce strict least‑privilege database access.

Generated by OpenCVE AI on June 21, 2026 at 09:22 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Sun, 21 Jun 2026 07:45:00 +0000

Type Values Removed Values Added
Description A flaw has been found in Montodel House-Rental-Management up to 90010017b81265eb1ef3810268909f7719a33863. This affects an unknown part of the file /index.php?page=houses. This manipulation of the argument ID causes sql injection. The attack is possible to be carried out remotely. The exploit has been published and may be used. This product adopts a rolling release strategy to maintain continuous delivery. Therefore, version details for affected or updated releases cannot be specified. The vendor was contacted early about this disclosure but did not respond in any way.
Title Montodel House-Rental-Management index.php houses sql injection
First Time appeared Montodel
Montodel house-rental-management
Weaknesses CWE-74
CWE-89
CPEs cpe:2.3:a:montodel:house-rental-management:*:*:*:*:*:*:*:*
Vendors & Products Montodel
Montodel house-rental-management
References
Metrics cvssV2_0

{'score': 6.5, 'vector': 'AV:N/AC:L/Au:S/C:P/I:P/A:P/E:POC/RL:ND/RC:UR'}

cvssV3_0

{'score': 6.3, 'vector': 'CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:L/E:P/RL:X/RC:R'}

cvssV3_1

{'score': 6.3, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:L/E:P/RL:X/RC:R'}

cvssV4_0

{'score': 5.3, 'vector': 'CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:L/VI:L/VA:L/SC:N/SI:N/SA:N/E:P'}

Subscriptions

Montodel House-rental-management
cve-icon MITRE

Status: PUBLISHED

Assigner: VulDB

Published:

Updated: 2026-06-21T04:45:08.051Z

Reserved: 2026-06-20T09:32:07.006Z

Link: CVE-2026-12776

cve-icon Vulnrichment

No data.

cve-icon NVD

No data.

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-06-21T09:30:09Z

Weaknesses
  • CWE-74

    Improper Neutralization of Special Elements in Output Used by a Downstream Component ('Injection')

  • CWE-89

    Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection')