First CVE: SQL Injection in PiHome v1.77

As a web developer with a strong interest in security, I recently decided to hunt for vulnerabilities just for fun—and it led to my first-ever CVE! 🎉 I discovered an SQL Injection vulnerability in PiHome v1.77, a smart home automation system, earning CVE-2025-1184.

The Discovery

While exploring PiHome’s code, I found an unsanitized SQL query in ajax.php, specifically in the GetModal_MQTTAddEdit function. The id parameter was being used directly in an SQL query without proper validation, making it vulnerable to injection attacks.

Proof of Concept

A simple payload like 1 OR SLEEP(5)-- confirmed the vulnerability by causing a 5-second delay, proving that arbitrary SQL execution was possible. This flaw could allow an attacker to access or manipulate the database, posing a serious security risk.

Why I Did It

I took on this challenge purely out of curiosity and to earn my first CVE. Finding and responsibly disclosing a security issue was a rewarding experience, reinforcing my understanding of web security, responsible disclosure, and real-world exploitation techniques.

Lessons Learned

This experience showed me the importance of secure coding, especially in applications handling sensitive data. It also motivated me to continue learning and contributing to web security by identifying and reporting vulnerabilities.

🔗 Full Advisory: PiHome SQLi - CVE-2025-1184

This is just the beginning—I’m excited to see where this journey takes me next! 🚀