CVE-2026-15498

sergomanov · SmartHomeAdatum

A SQL injection vulnerability exists in the sergomanov SmartHomeAdatum Login component (users.php), allowing unauthenticated attackers to potentially access or manipulate database information.

Executive summary

An unauthenticated SQL injection vulnerability in sergomanov SmartHomeAdatum allows for potential unauthorized database access.

Vulnerability

This vulnerability consists of SQL injection (CWE-89) and general injection (CWE-74) flaws within the users.php file of the Login component. The vulnerability is accessible to unauthenticated remote attackers.

Business impact

With a CVSS score of 7.3, this vulnerability represents a High severity risk. Successful exploitation could lead to unauthorized access to the underlying database, data exfiltration, or modification of application state. Because SmartHomeAdatum follows a rolling release model without discrete versioning, users are at persistent risk until the upstream source code is updated.

Remediation

Immediate Action: Since no formal patch is available, administrators should audit the users.php file and implement input sanitization and parameterized queries to neutralize the injection vector.

Proactive Monitoring: Monitor application logs for SQL syntax errors or unexpected database queries that might indicate an active injection attempt.

Compensating Controls: Deploy a Web Application Firewall (WAF) with SQL injection protection rules to block malicious payloads targeting the login interface.

Exploitation status

Public Exploit Available: No (unknown)

Analyst recommendation

Due to the lack of an official patch and the nature of SQL injection, users of SmartHomeAdatum should immediately restrict access to the login interface. If the functionality is not business-critical, consider disabling the affected component until the upstream repository provides a security update.