Unauthenticated SQL Injection Vulnerabilities in PIAF-HMS by Claudiopizzillo
CVE-2026-54419

9.3CRITICAL

Key Information:

Vendor

Claudiopizzillo

Status
Piaf-hms
Vendor
CVE Published:
18 June 2026

What is CVE-2026-54419?

PIAF-HMS, a hotel management system by Claudiopizzillo, contains multiple critical SQL injection vulnerabilities due to a lack of authentication and unsafe database query practices. User-supplied HTTP parameters are directly included in deprecated mysql_query() calls without proper sanitization, leading to potential unauthorized manipulation of the database. Key vulnerable files include rooms.php, checkuser.php, ec.php, checkin.php, wakeup.php, bills.php, rates.php, and checkout.php. An attacker can exploit these vulnerabilities to perform unauthorized operations, such as deleting records or retrieving sensitive information, creating significant risk for any deployment of the system.

References

https://github.com/claudiopizzillo/PIAF-HMS/blob/389d2633...
technical-description
https://github.com/claudiopizzillo/PIAF-HMS/blob/389d2633...
technical-description
https://github.com/claudiopizzillo/PIAF-HMS
product

CVSS V4

Score:
9.3
Severity:
CRITICAL
Confidentiality:
High
Integrity:
High
Availability:
High
Attack Vector:
Network
Attack Complexity:
Low
Attack Required:
None
Privileges Required:
Undefined
User Interaction:
None

Timeline

  • Vulnerability published

  • Vulnerability Reserved

Credit

Eshmirzayev Abbos
.