Description
claudiopizzillo PIAF-HMS (PBX-In-A-Flash Hotel Management System; no released versions, latest commit 389d2633441b65ced1c104212cd62be2bfca21e5) contains multiple unauthenticated SQL injection vulnerabilities. The application has no authentication mechanism and passes user-supplied HTTP parameters directly into deprecated mysql_query() calls via string concatenation, without sanitization, escaping, or parameterization. Affected sinks include rooms.php (DELETE FROM Rooms WHERE ID = $_GET['ID'], unquoted numeric context), checkuser.php (WHERE Ext = '$_GET["Ext"]'), ec.php (date/extension parameters in a WHERE), checkin.php and wakeup.php ($_POST values into INSERT statements), bills.php ($_POST fields built into a WHERE clause), and rates.php and checkout.php. A remote, unauthenticated attacker can inject arbitrary SQL to read, modify, or delete arbitrary records in the backing database (e.g. rooms.php?ID=1 OR 1=1 deletes all room records). Note: queries run via the legacy mysql_* extension, which does not permit stacked statements.
Published: 2026-06-18
Score: 9.3 Critical
EPSS: n/a
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

The vulnerability is a classic SQL injection flaw that allows an unauthenticated attacker to send crafted HTTP parameters directly to mysql_query functions. By exploiting these weaknesses the attacker can execute arbitrary SQL statements against the back‑end database, which can lead to unauthorized reading, modification, or deletion of database records, and potentially full compromise of the application’s data integrity and confidentiality.

Affected Systems

The application affected is PIAF‑HMS, developed by claudiopizzillo. No official releases exist; the latest code is committed to the repository at commit 389d2633441b65ced1c104212cd62be2bfca21e5. The system has no authentication mechanism, and the vulnerable PHP scripts include rooms.php, checkuser.php, ec.php, checkin.php, wakeup.php, bills.php, rates.php, and checkout.php.

Risk and Exploitability

The CVSS score of 9.3 reflects the high severity of this flaw, and the EPSS score is not available. The vulnerability is not listed in the CISA KEV catalog. Attackers can exploit the flaw via a simple HTTP GET or POST request to any of the vulnerable endpoints, without needing credentials or prior access. Because the application permits unauthenticated requests and the vulnerability is content‑injection based on user input, the exploit is straightforward and highly likely to be used if discovered.

Generated by OpenCVE AI on June 18, 2026 at 20:25 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Update the application to a version that replaces the mysql_* extension with mysqli or PDO prepared statements; if no official release is available, manually refactor the code to use parameterized queries and proper input escaping.
  • Configure the web server or application framework to enforce authentication for all exposed endpoints, preventing unauthenticated HTTP requests from reaching the vulnerable code.
  • Disable the deprecated mysql_* extension in PHP by removing it from the php.ini file or setting php_disable_functions to include all mysql functions, thereby mitigating further exploitation of legacy code.

Generated by OpenCVE AI on June 18, 2026 at 20:25 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Thu, 18 Jun 2026 16:45:00 +0000

Type Values Removed Values Added
Description claudiopizzillo PIAF-HMS (PBX-In-A-Flash Hotel Management System; no released versions, latest commit 389d2633441b65ced1c104212cd62be2bfca21e5) contains multiple unauthenticated SQL injection vulnerabilities. The application has no authentication mechanism and passes user-supplied HTTP parameters directly into deprecated mysql_query() calls via string concatenation, without sanitization, escaping, or parameterization. Affected sinks include rooms.php (DELETE FROM Rooms WHERE ID = $_GET['ID'], unquoted numeric context), checkuser.php (WHERE Ext = '$_GET["Ext"]'), ec.php (date/extension parameters in a WHERE), checkin.php and wakeup.php ($_POST values into INSERT statements), bills.php ($_POST fields built into a WHERE clause), and rates.php and checkout.php. A remote, unauthenticated attacker can inject arbitrary SQL to read, modify, or delete arbitrary records in the backing database (e.g. rooms.php?ID=1 OR 1=1 deletes all room records). Note: queries run via the legacy mysql_* extension, which does not permit stacked statements.
Title PIAF-HMS multiple unauthenticated SQL injection vulnerabilities via mysql_query
Weaknesses CWE-89
References
Metrics cvssV3_1

{'score': 9.8, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H'}

cvssV4_0

{'score': 9.3, 'vector': 'CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N'}

ssvc

{'options': {'Automatable': 'yes', 'Exploitation': 'none', 'Technical Impact': 'total'}, 'version': '2.0.3'}

Subscriptions

No data.

cve-icon MITRE

Status: PUBLISHED

Assigner: TuranSec

Published:

Updated: 2026-06-18T12:05:05.175Z

Reserved: 2026-06-13T16:39:46.122Z

Link: CVE-2026-54419

cve-icon Vulnrichment

Updated: 2026-06-18T12:04:57.185Z

cve-icon NVD

No data.

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-06-18T20:30:05Z

Weaknesses
  • CWE-89

    Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection')