📧 info@ciso.sa | 📱 +966550939344 | Riyadh, Kingdom of Saudi Arabia
About FAQ Contact Us Terms of Service Privacy Policy 🌐 العربية
🔐

Welcome — Sign in or create an account for full access.

🔑 Sign In ✨ Register
🌐 العربية Sign In Create Account
🔧 Scheduled Maintenance — Saturday 2:00-4:00 AM AST. Some features may be temporarily unavailable.    ●   
💎
Pro Plan 50% Off Unlock all AI features, unlimited reports, and priority support. Upgrade
Search Center
ESC to close
navigate open Ctrl+K search
CISO Consulting
Global supply_chain Software Development and Technology HIGH 3h Global apt Government/Critical Infrastructure CRITICAL 5h Global vulnerability Enterprise Software / Data Analytics CRITICAL 6h Global vulnerability Artificial Intelligence and Technology HIGH 9h Global general Technology and Artificial Intelligence MEDIUM 13h Global general Technology and Artificial Intelligence HIGH 14h Global vulnerability Higher Education CRITICAL 23h Global data_breach Government HIGH 1d Global supply_chain Software Development and Open Source Communities CRITICAL 1d Global malware Software Development CRITICAL 1d Global supply_chain Software Development and Technology HIGH 3h Global apt Government/Critical Infrastructure CRITICAL 5h Global vulnerability Enterprise Software / Data Analytics CRITICAL 6h Global vulnerability Artificial Intelligence and Technology HIGH 9h Global general Technology and Artificial Intelligence MEDIUM 13h Global general Technology and Artificial Intelligence HIGH 14h Global vulnerability Higher Education CRITICAL 23h Global data_breach Government HIGH 1d Global supply_chain Software Development and Open Source Communities CRITICAL 1d Global malware Software Development CRITICAL 1d Global supply_chain Software Development and Technology HIGH 3h Global apt Government/Critical Infrastructure CRITICAL 5h Global vulnerability Enterprise Software / Data Analytics CRITICAL 6h Global vulnerability Artificial Intelligence and Technology HIGH 9h Global general Technology and Artificial Intelligence MEDIUM 13h Global general Technology and Artificial Intelligence HIGH 14h Global vulnerability Higher Education CRITICAL 23h Global data_breach Government HIGH 1d Global supply_chain Software Development and Open Source Communities CRITICAL 1d Global malware Software Development CRITICAL 1d
Vulnerabilities

CVE-2019-25491

High
Homey BNB V4 contains an SQL injection vulnerability that allows unauthenticated attackers to manipulate database queries by injecting SQL code through the catid parameter. Attackers can send GET requ
CWE-89 — Weakness Type
Published: Feb 27, 2026  ·  Modified: Feb 28, 2026  ·  Source: NVD
CVSS v3
8.2
🔗 NVD Official
📄 Description (English)

Homey BNB V4 contains an SQL injection vulnerability that allows unauthenticated attackers to manipulate database queries by injecting SQL code through the catid parameter. Attackers can send GET requests to the admin/cms_getpagetitle.php endpoint with malicious catid values to extract sensitive database information.

🤖 AI Executive Summary

CVE-2019-25491 is a critical SQL injection vulnerability in Homey BNB V4 affecting the admin/cms_getpagetitle.php endpoint. Unauthenticated attackers can inject malicious SQL code through the catid parameter to extract sensitive database information. With a CVSS score of 8.2 and no authentication required, this vulnerability poses an immediate threat to organizations using this platform.

📄 Description (Arabic)

🤖 AI Intelligence Analysis Analyzed: Apr 25, 2026 08:56
🇸🇦 Saudi Arabia Impact Assessment
This vulnerability primarily impacts Saudi hospitality and tourism sector organizations using Homey BNB V4 for property management and booking systems. At-risk sectors include: Tourism & Hospitality (hotels, vacation rentals), E-commerce platforms integrating Homey BNB, and small-to-medium enterprises (SMEs) in the travel sector. Potential exposure includes customer personal data, payment information, booking details, and property management credentials. Organizations under SAMA oversight using this platform for any financial transactions face additional compliance risks.
🏢 Affected Saudi Sectors
Hospitality & Tourism E-commerce Small-to-Medium Enterprises (SMEs) Travel & Booking Services Property Management
⚖️ Saudi Risk Score (AI)
8.5
/ 10.0
🔧 Remediation Steps (English)
IMMEDIATE ACTIONS:

1. Identify all systems running Homey BNB V4 and isolate affected instances from production if possible

2. Review access logs for admin/cms_getpagetitle.php endpoint for suspicious activity (unusual catid parameters, SQL keywords)

3. Implement Web Application Firewall (WAF) rules to block SQL injection patterns in catid parameter



PATCHING:

1. Apply the available patch immediately to all Homey BNB V4 installations

2. Test patch in staging environment before production deployment

3. Verify patch effectiveness by attempting known SQL injection payloads



COMPENSATING CONTROLS (if patch delayed):

1. Restrict access to admin/cms_getpagetitle.php endpoint via IP whitelisting

2. Implement input validation: allow only numeric values for catid parameter

3. Use parameterized queries/prepared statements in application code

4. Enable database query logging and monitoring



DETECTION RULES:

1. Monitor for GET requests to admin/cms_getpagetitle.php with SQL keywords (UNION, SELECT, DROP, INSERT, etc.) in catid parameter

2. Alert on multiple failed database queries from single source IP

3. Track unusual database access patterns or data exfiltration attempts
🔧 خطوات المعالجة (العربية)
الإجراءات الفورية:

1. تحديد جميع الأنظمة التي تعمل بـ Homey BNB V4 وعزل الحالات المتأثرة عن الإنتاج إن أمكن

2. مراجعة سجلات الوصول لنقطة نهاية admin/cms_getpagetitle.php للبحث عن نشاط مريب (معاملات catid غير عادية، كلمات SQL)

3. تطبيق قواعد جدار حماية تطبيقات الويب (WAF) لحجب أنماط حقن SQL في معامل catid



التصحيح:

1. تطبيق التصحيح المتاح فوراً على جميع تثبيتات Homey BNB V4

2. اختبار التصحيح في بيئة التجريب قبل نشره في الإنتاج

3. التحقق من فعالية التصحيح بمحاولة حمولات حقن SQL المعروفة



الضوابط البديلة (إذا تأخر التصحيح):

1. تقييد الوصول إلى نقطة نهاية admin/cms_getpagetitle.php عبر قائمة بيضاء للعناوين

2. تطبيق التحقق من الإدخال: السماح فقط بالقيم الرقمية لمعامل catid

3. استخدام الاستعلامات المعاملة/البيانات المحضرة في كود التطبيق

4. تفعيل تسجيل واستراقاب استعلامات قاعدة البيانات



قواعد الكشف:

1. مراقبة طلبات GET إلى admin/cms_getpagetitle.php التي تحتوي على كلمات SQL (UNION, SELECT, DROP, INSERT, إلخ) في معامل catid

2. التنبيه على استعلامات قاعدة بيانات متعددة فاشلة من عنوان IP واحد

3. تتبع أنماط الوصول غير العادية لقاعدة البيانات أو محاولات تسرب البيانات
📋 Regulatory Compliance Mapping
🟢 NCA ECC 2024
A.14.2.1 - Secure development policy and procedures A.14.2.5 - Secure development environment A.13.1.3 - Segregation of networks A.12.6.1 - Management of technical vulnerabilities
🔵 SAMA CSF
ID.BE-5 - Organizational resilience with respect to cybersecurity risk PR.DS-6 - Integrity checking mechanisms DE.CM-1 - The network is monitored to detect potential cybersecurity events RS.MI-2 - Incidents are mitigated
🟡 ISO 27001:2022
A.12.2.1 - Implementation of secure development policy A.12.6.1 - Management of technical vulnerabilities A.14.2.1 - Secure development policy and procedures A.13.1.1 - Network controls
🟣 PCI DSS v4.0.1
6.5.1 - Injection flaws prevention 6.2 - Security patches and updates 11.2 - Vulnerability scanning
📊 CVSS Score
8.2
/ 10.0 — High
📊 CVSS Vector
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:L/A:N
Attack VectorN — None / Network
Attack ComplexityL — Low / Local
Privileges RequiredN — None / Network
User InteractionN — None / Network
ScopeU — Unchanged
ConfidentialityH — High
IntegrityL — Low / Local
AvailabilityN — None / Network
📋 Quick Facts
Severity High
CVSS Score8.2
CWECWE-89
EPSS0.07%
Exploit No
Patch ✓ Yes
Published 2026-02-27
Source Feed nvd
Views 5
🇸🇦 Saudi Risk Score
8.5
/ 10.0 — Saudi Risk
Priority: CRITICAL
🏷️ Tags
CWE-89
⚡ Actions
🔗 NVD Official Page ⚡ Exploit-DB Search 🐙 GitHub PoC Search 🎯 MITRE ATT&CK 📊 CVE Details
Share this CVE
LinkedIn X / Twitter WhatsApp Telegram

💬 Comments

0
Loading comments
📣 Found this valuable?
Share it with your cybersecurity network
in LinkedIn 𝕏 X / Twitter 💬 WhatsApp ✈ Telegram
🍪 Privacy Preferences
CISO Consulting — Compliant with Saudi Personal Data Protection Law (PDPL)
We use cookies and similar technologies to provide the best experience on our platform. You can choose which types you accept.
🔒
Essential Always On
Required for the website to function properly. Cannot be disabled.
📋 Sessions, CSRF tokens, authentication, language preferences
📊
Analytics
Help us understand how visitors use the site and improve performance.
📋 Page views, session duration, traffic sources, performance metrics
⚙️
Functional
Enable enhanced features like content personalization and preferences.
📋 Dark/light theme, font size, custom dashboards, saved filters
📣
Marketing
Used to deliver content and ads relevant to your interests.
📋 Campaign tracking, retargeting, social media analytics
Privacy Policy →
CISO AI Assistant
Ask anything · Documents · Support
🔐

Introduce Yourself

Enter your details to access the full assistant

Your info is private and never shared
💬
CyberAssist
Online · responds in seconds
5 / 5
🔐 Verify Your Identity

Enter your email to receive a verification code before submitting a support request.

Enter to send · / for commands 0 / 2000
CISO AI · Powered by Anthropic Claude
✦ Quick Survey Help Us Improve CISO Consulting Your feedback shapes the future of our platform — takes less than 2 minutes.
⚠ Please answer this question to continue

How would you rate your overall experience with our platform?

Rate from 1 (poor) to 5 (excellent)

🎉
Thank you!
Your response has been recorded.