Primary

Context

Homey BNB SQL Injection Vulnerability

Vulnerability

A SQL injection vulnerability has been identified in Homey BNB version 4. This vulnerability allows unauthenticated attackers to manipulate database queries by injecting SQL code through the 'pt' parameter. Exploitation of this vulnerability involves sending GET requests to the 'admin/getcmsdata.php' endpoint with crafted 'pt' values, enabling attackers to extract sensitive information from the database.

Impact

Exploitation of this vulnerability allows for unauthorized database access and data extraction, potentially leading to exposure of sensitive information.

Reproduction

To reproduce this vulnerability, send a GET request to the 'admin/getcmsdata.php' endpoint with a crafted 'pt' parameter that includes SQL injection payloads. The injected SQL code can be used to manipulate the database query and extract information from the database.

Added: Feb 27, 2026, 6:20 PM

Updated: Feb 27, 2026, 6:20 PM

Vulnerability Rating

Custom Algorithm

spread

0.0

impact

2.5

exploitability

8.7

remediation

0.0

relevance

3.3

threat

6.4

urgency

2.9

incentive

4.2

Our algorithm analyzes dozens of metrics to generate these 8 key vulnerability categories, which are then combined to calculate the overall risk score.

Vulnerability Rating

Custom Algorithm

spread

0.0

impact

2.5

exploitability

8.7

remediation

0.0

relevance

3.3

threat

6.4

urgency

2.9

incentive

4.2

Our algorithm analyzes dozens of metrics to generate these 8 key vulnerability categories, which are then combined to calculate the overall risk score.

Homey BNB SQL Injection Vulnerability

Vulnerability

Impact

Reproduction

Affected Products

CVSS Scores

References

Vulnerability Rating

Vulnerability Rating