CVE-2019-25494 HIGH

CVE-2019-25494: Homey BNB V4 SQL Injection Authentication Bypass via Admin Panel

Vendor Doditsolutions

Product Homey BNB (Airbnb Clone Script)

Weakness CWE-89 · SQLi

Published February 27, 2026

Last update April 7, 2026

View on NVD All CVEs

CVSS base score

8.8/10

Attack vector Network

Attack complexity Low

Privileges required None

User interaction None

Confidentiality —

Integrity —

CVSS vector

CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:L/VA:N/SC:N/SI:N/SA:N

What the vulnerability does

01Description

Homey BNB V4 contains an SQL injection vulnerability in the administration panel login that allows unauthenticated attackers to bypass authentication by injecting SQL syntax into username and password fields. Attackers can submit SQL operators like '=' 'or' in both credentials to manipulate the authentication query and gain unauthorized access to the admin panel.

Key dates

02Disclosure timeline

February 27, 2026 CVE published

April 7, 2026 Record updated

External resources

03References

NVD — National Vulnerability Database https://nvd.nist.gov/vuln/detail/CVE-2019-25494

Related vulnerabilities

CVE-2019-25494: Homey BNB V4 SQL Injection Authentication Bypass via Admin Panel

01Description

02Disclosure timeline

03References

04Related CVE