CVE-2026-54419
CriticalCVSS 9.8Exploitation Probability (EPSS)
Low risk43th percentile — higher than 43% of all known CVEs
Summary
The PIAF-HMS hotel management system contains multiple unauthenticated SQL injection vulnerabilities. The application lacks an authentication mechanism and directly passes user-supplied HTTP parameters into deprecated mysql_query() calls without sanitization.
Risk Assessment
A remote, unauthenticated attacker can inject arbitrary SQL, allowing them to read, modify, or delete records in the database. This poses a serious threat to data integrity and confidentiality.
Recommendation
It is recommended to implement an authentication mechanism and use secure database access methods, such as prepared statements, to prevent SQL injection.
Original NVD description (English source)
claudiopizzillo PIAF-HMS (PBX-In-A-Flash Hotel Management System; no released versions, latest commit 389d2633441b65ced1c104212cd62be2bfca21e5) contains multiple unauthenticated SQL injection vulnerabilities. The application has no authentication mechanism and passes user-supplied HTTP parameters directly into deprecated mysql_query() calls via string concatenation, without sanitization, escaping, or parameterization. Affected sinks include rooms.php (DELETE FROM Rooms WHERE ID = $_GET['ID'], unquoted numeric context), checkuser.php (WHERE Ext = '$_GET["Ext"]'), ec.php (date/extension parameters in a WHERE), checkin.php and wakeup.php ($_POST values into INSERT statements), bills.php ($_POST fields built into a WHERE clause), and rates.php and checkout.php. A remote, unauthenticated attacker can inject arbitrary SQL to read, modify, or delete arbitrary records in the backing database (e.g. rooms.php?ID=1 OR 1=1 deletes all room records). Note: queries run via the legacy mysql_* extension, which does not permit stacked statements.

