CVE-2026-54419
Received Received - Intake
Unauthenticated SQL Injection in PIAF-HMS

Publication date: 2026-06-18

Last updated on: 2026-06-18

Assigner: 309f9ea4-e3e9-4c6c-b79d-e8eb01244f2c

Description
claudiopizzillo PIAF-HMS (PBX-In-A-Flash Hotel Management System; no released versions, latest commit 389d2633441b65ced1c104212cd62be2bfca21e5) contains multiple unauthenticated SQL injection vulnerabilities. The application has no authentication mechanism and passes user-supplied HTTP parameters directly into deprecated mysql_query() calls via string concatenation, without sanitization, escaping, or parameterization. Affected sinks include rooms.php (DELETE FROM Rooms WHERE ID = $_GET['ID'], unquoted numeric context), checkuser.php (WHERE Ext = '$_GET["Ext"]'), ec.php (date/extension parameters in a WHERE), checkin.php and wakeup.php ($_POST values into INSERT statements), bills.php ($_POST fields built into a WHERE clause), and rates.php and checkout.php. A remote, unauthenticated attacker can inject arbitrary SQL to read, modify, or delete arbitrary records in the backing database (e.g. rooms.php?ID=1 OR 1=1 deletes all room records). Note: queries run via the legacy mysql_* extension, which does not permit stacked statements.
CVSS Scores
EPSS Scores
Probability:
Percentile:
Meta Information
Published
2026-06-18
Last Modified
2026-06-18
Generated
2026-06-19
AI Q&A
2026-06-18
EPSS Evaluated
N/A
NVD
CVE-2026-54419
EUVD
EUVD-2026-37872
Affected Vendors & Products
Showing 1 associated CPE
Vendor Product Version / Range
claudiopizzillo piaf-hms *
Helpful Resources
Exploitability
CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-89 The product constructs all or part of an SQL command using externally-influenced input from an upstream component, but it does not neutralize or incorrectly neutralizes special elements that could modify the intended SQL command when it is sent to a downstream component. Without sufficient removal or quoting of SQL syntax in user-controllable inputs, the generated SQL query can cause those inputs to be interpreted as SQL instead of ordinary user data.
Attack-Flow Graph
AI Quick Actions
Instant insights powered by AI
Executive Summary

CVE-2026-54419 is a set of multiple unauthenticated SQL injection vulnerabilities in the PIAF-HMS (PBX-In-A-Flash Hotel Management System) application. The system lacks any authentication mechanism and directly inserts user-supplied HTTP parameters into deprecated mysql_query() calls without sanitization, escaping, or parameterization. This insecure coding practice allows a remote attacker to inject arbitrary SQL commands through various PHP scripts such as rooms.php, checkuser.php, ec.php, checkin.php, wakeup.php, bills.php, rates.php, and checkout.php.

Because the application uses the legacy mysql_* extension and concatenates input directly into SQL queries, an attacker can manipulate queries to read, modify, or delete records in the database. For example, sending a specially crafted request like rooms.php?ID=1 OR 1=1 can delete all room records. The vulnerability is severe due to the lack of authentication and the high impact on confidentiality, integrity, and availability.

Impact Analysis

This vulnerability can have a critical impact on your system and data. Since it allows unauthenticated remote attackers to perform SQL injection, they can read sensitive information, modify data, or delete records in the hotel's management database.

  • Loss of data integrity by unauthorized modification or deletion of records such as room information, user data, billing details, and call records.
  • Exposure of sensitive information stored in the database, potentially including customer or operational data.
  • Disruption of hotel management operations due to data corruption or deletion.
  • Complete compromise of the backend database, leading to loss of trust and operational downtime.
Detection Guidance

This vulnerability can be detected by testing the affected PHP scripts for SQL injection by injecting SQL payloads into the HTTP parameters that the scripts accept. For example, sending specially crafted requests to endpoints such as rooms.php, checkuser.php, ec.php, checkin.php, wakeup.php, bills.php, rates.php, and checkout.php with SQL injection payloads in GET or POST parameters can reveal if the system is vulnerable.

  • Use curl or similar tools to send HTTP requests with SQL injection payloads, e.g., for rooms.php: curl "http://target/rooms.php?ID=1 OR 1=1"
  • Check for unexpected behavior such as deletion of all records or error messages indicating SQL syntax errors.
  • Monitor web server logs for suspicious requests containing SQL keywords or unusual parameter values.
  • Use network monitoring tools to detect anomalous HTTP requests targeting the vulnerable scripts with SQL injection patterns.
Mitigation Strategies

Immediate mitigation steps include restricting access to the vulnerable PHP scripts to trusted users or internal networks since the application lacks authentication.

Disable or remove the affected scripts (rooms.php, checkuser.php, ec.php, checkin.php, wakeup.php, bills.php, rates.php, checkout.php) until proper fixes are applied.

Implement input validation and sanitization to prevent SQL injection by avoiding direct concatenation of user input into SQL queries.

Migrate from deprecated mysql_* functions to modern database APIs that support parameterized queries (e.g., PDO or MySQLi with prepared statements).

Apply network-level protections such as web application firewalls (WAF) to block SQL injection attempts.

Compliance Impact

The vulnerability allows remote, unauthenticated attackers to perform SQL injection attacks that can read, modify, or delete arbitrary records in the database. This can lead to unauthorized access and manipulation of sensitive data.

Such unauthorized data access and modification can result in violations of data protection regulations and standards like GDPR and HIPAA, which require strict controls to protect personal and sensitive information.

Because the application lacks authentication and sanitization, it fails to ensure data confidentiality, integrity, and availability, which are core requirements of these regulations.

Chat Assistant
Ask questions about this CVE
Hi! I’m here to help you understand CVE-2026-54419. Ask me anything about the vulnerability, its impact, or mitigation strategies.
0/70
EPSS Chart