Montodel House-Rental-Management login.php sql injection
Description
A vulnerability was detected in Montodel House-Rental-Management up to 90010017b81265eb1ef3810268909f7719a33863. Affected by this issue is some unknown functionality of the file /login.php. The manipulation of the argument Username results in sql injection. The attack can be executed remotely. The exploit is now public and may be used. This product implements a rolling release for ongoing delivery, which means version information for affected or updated releases is unavailable. The vendor was contacted early about this disclosure but did not respond in any way.
AI Insight
LLM-synthesized narrative grounded in this CVE's description and references.
Affected products
1- Range: <= 90010017b81265eb1ef3810268909f7719a33863
Patches
Vulnerability mechanics
Root cause
"Missing input validation and lack of parameterized queries in the login handler allow direct injection of SQL code via the username parameter."
Attack vector
An unauthenticated attacker sends a crafted POST request to `/House-Rental-Management-main/ajax.php?action=login` with a malicious `username` value. The payload `admin' AND (SELECT 3070 FROM (SELECT(SLEEP(5)))nxyZ) AND 'xnGS'='xnGS` demonstrates time‑based blind SQL injection, allowing the attacker to extract data character by character [ref_id=1]. The attack is remotely exploitable over HTTP with no prior authentication required.
Affected code
The vulnerability resides in `/login.php` (specifically the `ajax.php?action=login` endpoint) of the Montodel House-Rental-Management repository up to commit `90010017b81265eb1ef3810268909f7719a33863`. The `username` parameter is taken directly from the POST body and interpolated into SQL queries without sanitization or parameterization [ref_id=1].
What the fix does
The advisory recommends using prepared statements with parameter binding, which separates SQL code from user input so that injected values are never interpreted as executable SQL [ref_id=1]. Additional hardening steps include strict input validation and filtering, minimizing database user privileges, and conducting regular security audits. No official patch has been published by the vendor.
Preconditions
- networkNetwork access to the web application's login endpoint
- authNo authentication required
- inputThe vulnerable parameter is the POST 'username' field
Reproduction
Send a POST request to `/House-Rental-Management-main/ajax.php?action=login` with `username=admin' AND (SELECT 3070 FROM (SELECT(SLEEP(5)))nxyZ) AND 'xnGS'='xnGS&password=123456`. A 5‑second delay confirms the time‑based blind SQL injection [ref_id=1].
Generated on Jun 21, 2026. Inputs: CWE entries + fix-commit diffs from this CVE's patches. Citations validated against bundle.
References
5- github.com/yihaofuweng/cve/issues/67mitreexploitissue-tracking
- vuldb.com/cve/CVE-2026-12775mitrethird-party-advisory
- vuldb.com/submit/835036mitrethird-party-advisory
- vuldb.com/vuln/372517mitrevdb-entrytechnical-description
- vuldb.com/vuln/372517/ctimitresignaturepermissions-required
News mentions
0No linked articles in our index yet.