CRITICAL
claudiopizzillo
CVE published 2026-06-18
CVE-2026-54419
The PIAF-HMS (PBX-In-A-Flash Hotel Management System) by Claudiop Pizzillo contains multiple unauthenticated SQL injection vulnerabilities. The application lacks an authentication mechanism and directly injects user-supplied HTTP parameters into deprecated mysql_query() calls without sanitization, escaping, or parameterization. Affected components include rooms.php, checkuser.php, ec.php, checkin.php, wak [truncated]