Montodel House-Rental-Management index.php houses sql injection
Description
A flaw has been found in Montodel House-Rental-Management up to 90010017b81265eb1ef3810268909f7719a33863. This affects an unknown part of the file /index.php?page=houses. This manipulation of the argument ID causes sql injection. The attack is possible to be carried out remotely. The exploit has been published and may be used. This product adopts a rolling release strategy to maintain continuous delivery. Therefore, version details for affected or updated releases cannot be specified. The vendor was contacted early about this disclosure but did not respond in any way.
AI Insight
LLM-synthesized narrative grounded in this CVE's description and references.
Affected products
2(expand)+ 1 more
- (no CPE)
- (no CPE)range: <= 90010017b81265eb1ef3810268909f7719a33863
Patches
Vulnerability mechanics
Root cause
"Missing input validation and sanitization of the 'id' parameter allows direct injection of user-controlled data into SQL queries."
Attack vector
An attacker sends a crafted POST request to `/ajax.php?action=delete_house` with a malicious `id` parameter. The payload is injected directly into SQL queries, enabling boolean-based blind and time-based blind SQL injection techniques [ref_id=1]. The attack is remotely exploitable over HTTP without authentication, as demonstrated by the sqlmap PoC.
Affected code
The vulnerability resides in the file `/index.php?page=houses` (full path `/House-Rental-Management-main/index.php?page=houses`) and the related AJAX endpoint `/ajax.php?action=delete_house`. The `id` parameter is taken directly from user input and used in SQL queries without sanitization or validation [ref_id=1].
What the fix does
The advisory recommends using prepared statements with parameter binding to separate SQL code from user input, strict input validation and filtering, minimizing database user permissions, and conducting regular security audits [ref_id=1]. No official patch has been released by the vendor.
Preconditions
- networkThe attacker must be able to send HTTP POST requests to the vulnerable endpoint.
- authNo authentication is required; the endpoint is publicly accessible.
Reproduction
Send a POST request to `/House-Rental-Management-main/ajax.php?action=delete_house` with the body `id=1 AND (SELECT 1916 FROM (SELECT(SLEEP(5)))ZdHO)` to trigger a time-based blind SQL injection. The full sqlmap payloads are documented in the reference write-up [ref_id=1].
Generated on Jun 21, 2026. Inputs: CWE entries + fix-commit diffs from this CVE's patches. Citations validated against bundle.
References
5- github.com/yihaofuweng/cve/issues/68mitreexploitissue-tracking
- vuldb.com/cve/CVE-2026-12776mitrethird-party-advisory
- vuldb.com/submit/835037mitrethird-party-advisory
- vuldb.com/vuln/372518mitrevdb-entrytechnical-description
- vuldb.com/vuln/372518/ctimitresignaturepermissions-required
News mentions
0No linked articles in our index yet.