Description
Homey BNB V4 contains an SQL injection vulnerability in the administration panel login that allows unauthenticated attackers to bypass authentication by injecting SQL syntax into username and password fields. Attackers can submit SQL operators like '=' 'or' in both credentials to manipulate the authentication query and gain unauthorized access to the admin panel.
Exploits (1)
exploitdb
WORKING POC
by Ahmet Ümit BAYRAM · textwebappsphp
https://www.exploit-db.com/exploits/46616
References (3)
Core 3
Core References
Exploit, Third Party Advisory exploit
https://www.exploit-db.com/exploits/46616
Various Sources product
https://www.doditsolutions.com/airbnb-clone-script/
Third Party Advisory third-party-advisory
https://www.vulncheck.com/advisories/homey-bnb-sql-injection-authentication-bypass-via-admin-panel
Scores
CVSS v3
8.2
EPSS
0.0040
EPSS Percentile
60.7%
Attack Vector
NETWORK
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:L/A:N
CISA SSVC
Vulnrichment
Exploitation
poc
Automatable
yes
Technical Impact
partial
Details
CWE
CWE-89
Status
published
Products (2)
doditsolutions/airbnb_clone_script
4
Doditsolutions/Homey BNB (Airbnb Clone Script)
V4
Published
Feb 27, 2026
Tracked Since
Feb 28, 2026