PatchSiren

PatchSiren cyber security CVE debrief

CVE-2026-54419 claudiopizzillo CVE debrief

The PIAF-HMS (PBX-In-A-Flash Hotel Management System) by Claudiop Pizzillo contains multiple unauthenticated SQL injection vulnerabilities. The application lacks an authentication mechanism and directly injects user-supplied HTTP parameters into deprecated mysql_query() calls without sanitization, escaping, or parameterization. Affected components include rooms.php, checkuser.php, ec.php, checkin.php, wakeup.php, bills.php, rates.php, and checkout.php. An attacker can inject arbitrary SQL to read, modify, or delete database records.

Vendor
claudiopizzillo
Product
PIAF-HMS
CVSS
CRITICAL 9.3
CISA KEV
Not listed in stored evidence
Original CVE published
2026-06-18
Original CVE updated
2026-06-22
Advisory published
2026-06-18
Advisory updated
2026-06-22

Who should care

System administrators and security professionals responsible for PIAF-HMS installations should prioritize patching this vulnerability. The vulnerability's critical severity (CVSS score of 9.3) and the ease of exploitation make it a high-risk issue.

Technical summary

The PIAF-HMS application does not implement authentication and directly concatenates user-supplied input into SQL queries using deprecated mysql_query() functions. This allows remote attackers to inject malicious SQL, potentially leading to unauthorized data access, modification, or deletion. Affected areas include room management, user checks, and billing functions. The application lacks input validation and sanitization, making it vulnerable to SQL injection attacks. The use of deprecated mysql_* functions further exacerbates the risk. To mitigate this vulnerability, it is essential to implement prepared statements with parameterized queries, disable or remove deprecated mysql_* functions, and enforce authentication mechanisms for the application.

Defensive priority

High priority should be given to patching or mitigating this vulnerability due to its critical severity and the potential for significant impact.

Recommended defensive actions

  • Apply patches or updates provided by the vendor, if available.
  • Implement input validation and sanitization for user-supplied data.
  • Use prepared statements with parameterized queries to prevent SQL injection.
  • Disable or remove deprecated mysql_* functions if not required.
  • Implement authentication mechanisms for the application.
  • Conduct regular security audits and vulnerability assessments.

Evidence notes

The CVE record and NVD details provide information on the vulnerability. The source code and additional references offer technical insights into the affected components and exploitation vectors. The vulnerability is caused by the lack of authentication and improper input validation in the PIAF-HMS application. The affected components include rooms.php, checkuser.php, ec.php, checkin.php, wakeup.php, bills.php, rates.php, and checkout.php. The exploitation of this vulnerability can lead to unauthorized data access, modification, or deletion. Defenders should verify the affected scope, severity, and vendor guidance to prioritize patching or mitigating this vulnerability.

Official resources

AI-assisted PatchSiren debrief based on the supplied source corpus. The CVE record was published on 2026-06-18T14:17:31.887Z and has not been modified since then. The NVD entry is currently Deferred.