{"timestamp":"2026-06-18T12:01:03.819166Z","id":"CVE-2026-54419","options":[{"exploitation":"none"},{"automatable":"yes"},{"technicalImpact":"total"}],"role":"CISA Coordinator","version":"2.0.3"}

claudiopizzillo PIAF-HMS (PBX-In-A-Flash Hotel Management System; no released versions, latest commit 389d2633441b65ced1c104212cd62be2bfca21e5) contains multiple unauthenticated SQL injection vulnerabilities. The application has no authentication mechanism and passes user-supplied HTTP parameters directly into deprecated mysql_query() calls via string concatenation, without sanitization, escaping, or parameterization. Affected sinks include rooms.php (DELETE FROM Rooms WHERE ID = $_GET['ID'], unquoted numeric context), checkuser.php (WHERE Ext = '$_GET["Ext"]'), ec.php (date/extension parameters in a WHERE), checkin.php and wakeup.php ($_POST values into INSERT statements), bills.php ($_POST fields built into a WHERE clause), and rates.php and checkout.php. A remote, unauthenticated attacker can inject arbitrary SQL to read, modify, or delete arbitrary records in the backing database (e.g. rooms.php?ID=1 OR 1=1 deletes all room records). Note: queries run via the legacy mysql_* extension, which does not permit stacked statements.

AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X

AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

CWE-89

https://github.com/claudiopizzillo/PIAF-HMS

https://github.com/claudiopizzillo/PIAF-HMS/blob/389d2633441b65ced1c104212cd62be2bfca21e5/ec.php#L57

https://github.com/claudiopizzillo/PIAF-HMS/blob/389d2633441b65ced1c104212cd62be2bfca21e5/rooms.php#L16

[{"vendor":"claudiopizzillo","product":"PIAF-HMS","defaultStatus":"affected","collectionURL":"https://github.com/claudiopizzillo/PIAF-HMS","programFiles":["checkin.php","checkout.php","rates.php","rooms.php","bills.php","wakeup.php","checkuser.php","ec.php"],"repo":"https://github.com/claudiopizzillo/PIAF-HMS"}]