HarborGuardharborguardDatabase
Back to search
CRITICALCVE-2026-54419Published Modified CNA TuranSec

CVE-2026-54419: PIAF-HMS multiple unauthenticated SQL injection vulnerabilities via mysql_query

claudiopizzillo PIAF-HMS (PBX-In-A-Flash Hotel Management System; no released versions, latest commit 389d2633441b65ced1c104212cd62be2bfca21e5) contains multiple unauthenticated SQL injection vulnerabilities. The application has no authentication mechanism and passes user-supplied HTTP parameters directly into deprecated mysql_query() calls via string concatenation, without sanitization, escaping, or parameterization. Affected sinks include rooms.php (DELETE FROM Rooms WHERE ID = $_GET['ID'], unquoted numeric context), checkuser.php (WHERE Ext = '$_GET["Ext"]'), ec.php (date/extension parameters in a WHERE), checkin.php and wakeup.php ($_POST values into INSERT statements), bills.php ($_POST fields built into a WHERE clause), and rates.php and checkout.php. A remote, unauthenticated attacker can inject arbitrary SQL to read, modify, or delete arbitrary records in the backing database (e.g. rooms.php?ID=1 OR 1=1 deletes all room records). Note: queries run via the legacy mysql_* extension, which does not permit stacked statements.

Metrics

CVSS v4.0
9.3
Severity
CRITICAL
Fixed in
Affected Products
1

Get notified

Email me when this CVE is updated: new fix versions, severity changes, or any record change.

HarborGuard Analysis

Synopsis

Multiple unauthenticated SQL injection vulnerabilities exist in claudiopizzillo PIAF-HMS (PBX-In-A-Flash Hotel Management System), a PHP hotel management application. The application passes user-supplied HTTP parameters directly into deprecated mysql_query() calls via string concatenation with no sanitization, escaping, or parameterization, and no authentication gate in front of any affected endpoint. A remote attacker with network access to the application can read, modify, or delete arbitrary records in the backing database across multiple endpoints. HarborGuard is tracking this advisory and will make a patched-image rebuild available the moment an upstream fix is published.

HarborGuard Coverage

Detection

Detection for CVE-2026-54419 is available across every HarborGuard environment: the CVE is ingested from upstream feeds within minutes of publication and matched against all customer images, including custom-built images derived from the affected PIAF-HMS codebase. Any image containing the affected commit range is flagged in the customer's registry scan and CI pipeline results.

Available
Triage

HarborGuard scores this finding at CVSS 9.3 (Critical, v4.0) and surfaces it accordingly in each customer environment's issue queue. Per-environment compliance policy weighting is applied automatically, and the finding is routed to the appropriate team inbox within each customer organization based on image ownership and policy configuration.

Available
Patch

No fix version has been published upstream for PIAF-HMS. HarborGuard re-checks the advisory on every ingest cycle and will make a patched-image rebuild available automatically the moment the upstream maintainer publishes a remediated commit or release. For customers with auto-remediation enabled, the rebuild, regression test run, and PR against affected workloads will be triggered without manual intervention.

Pending upstream

Exploit Conditions

  • Network reachabilityRequired

    The vulnerable endpoints are served over HTTP, so an attacker must be able to reach the application over the network; no prior foothold on the host is needed.

  • AuthenticationNot required

    The application has no authentication mechanism on any of the affected endpoints, so no credentials or session token of any kind are needed.

  • Victim interactionNot required

    The attacker sends crafted HTTP requests directly to the server; no user action or social engineering is required.

  • Attack complexityDetail

    Exploitation is reliable and condition-free: parameters are concatenated directly into SQL queries with no sanitization, making injection straightforward and repeatable without race conditions or special environmental setup.

Blast Radius

  • Reads arbitrary records from the backing database, including guest reservations, room data, billing records, and extension mappings.
  • Modifies persisted database rows, for example overwriting room rates, check-in records, or wake-up call entries.
  • Deletes arbitrary database records, as demonstrated by the rooms.php?ID=1 OR 1=1 payload which removes all room rows in a single request.
  • Note: the legacy mysql_* extension does not permit stacked statements, so execution of additional SQL commands beyond the injected query is constrained to the original statement type.

How HarborGuard Handles This

Available on HarborGuard: because no upstream fix exists for PIAF-HMS, HarborGuard monitors the advisory on every ingest cycle and will surface a patched-image rebuild automatically once the maintainer publishes a remediated commit. In the interim, customers running this image are advised to apply compensating controls: network-policy isolation restricting inbound access to the application to trusted source ranges only, egress filtering on the container to limit database reachability from other workloads, and where operationally feasible, taking the affected endpoints offline until a fix is available. When an upstream patch is published, customers with auto-remediation enabled will receive a rebuilt image, a regression test run, and a PR opened against affected workloads, with median time from CVE publication to merged patch PR for critical-severity issues around 90 minutes in those environments.

See how HarborGuard automates this
Affected packages
  • claudiopizzillo / PIAF-HMS
CVSS Vector
CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N
References