CVE-2026-54419

PIAF-HMS (PBX-In-A-Flash Hotel Management System) contains multiple unauthenticated SQL injection vulnerabilities. The app has no authentication and passes user-supplied HTTP parameters directly into deprecated mysql_query() calls via string concatenation, without sanitization, escaping, or param...

CVE-2026-54419 PIAF-HMS multiple unauthenticated SQL injection vulnerabilities via mysql_query

claudiopizzillo PIAF-HMS PBX-In-A-Flash Hotel Management System; no released versions, latest commit 389d2633441b65ced1c104212cd62be2bfca21e5 contains multiple unauthenticated SQL injection vulnerabilities. The application has no authentication mechanism and passes user-supplied HTTP parameters...

Web Based Online Hotel Booking System 0.1.0 - Authentication Bypass Vulnerability

Exploit for php platform in category web applications Exploit Title: Web Based Online Hotel Booking System 0.1.0 - Authentication Bypass Exploit Author: KeopssGroup0day,Inc Vendor Homepage: https://github.com/mrzulkarnine/Web-based-hotel-booking-system Software Link:...

TopicsViewer 3.0 Beta 1 SQL Injection

TopicsViewer v3.0 Beta 1 - Multiple Sql Injection Vulnerabilty =================================================================== .:. Author : AtT4CKxT3rR0r1ST .:. Contact : [email protected] , [email protected] .:. Home : http://www.iphobos.com/blog/ .:. Script : http://www.topicsviewer.com/...

Easy POS System SQL Injection

Exploit: Easy POS System - SQL Injection + Author: vinicius777 + Contact: vinicius777 AT gmail @vinicius777 + Vendor Homepage: http://sourceforge.net/projects/easypossystem/ 1 Sql Injection POST Time Based Blind Note: Time based Injection on POST requests using burp, as output indicated. You...

RTTucson Quotations Database Script - Authentication Bypass

RTTucson Quotations Database Script - Authentication Bypass RTTucson Quotations Database Script Auth Bypass SQL Injection Vulnerability By cr4wl3r http://bastardlabs.info Script: http://www.rttucson.com/files.html Bugs found /quotations/admin/include/login.php --------------------------- 36 if...

Filmis 0.2 Beta Cross Site Scripting / SQL Injection

=================================================================================== Filmis - Version 0.2 Beta SQL Injection and XSS Vulnerabilities =================================================================================== Exploit Title: Filmis - Version 0.2 Beta SQL Injection and XSS...

WordPress Plugin Couponer 1.2 - SQL Injection

Exploit Title: WordPress Couponer plugin = 1.2 SQL Injection Vulnerability Date: 2011-08-31 Author: Miroslav Stampar miroslav.stamparatgmail.com @stamparm Software Link: http://downloads.wordpress.org/plugin/couponer.zip Version: 1.2 tested Note: magicquotes has to be turned off --- PoC ---...

BPanel <= 2.8 BETA2 SE XSS / SQL Injection Vulnerabilities

Exploit for unknown platform in category web applications ========================================================== BPanel Exploit database separated by exploit 0 0 // type local, remote, DoS, etc. 1 1 0 -=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-1 + Discovered By :...

GDL 4.x (node) Remote SQL Injection Vulnerability

Exploit for unknown platform in category web applications ================================================= GDL 4.x node Remote SQL Injection Vulnerability ================================================= Discovered by g4t3w4y transitory only...

Butterfly Organizer 2.0.1 (view.php id) SQL Injection Vulnerability

No description provided by source. 0x01 Informations: Name : Butterfly Organizer 2.0.1 Sql Injection Download : http://www.hotscripts.com/jump.php?listingid=72677&jumptype=1 Vulnerability : Remote Sql Injection Author : Osirys Contact : osirysatlivedotit Notes : Proud to be Italian : Same bug of...

faqmanager-sql.txt

+---------------------------------------------------------------------------------------+ | | | FAQ Manager 1.2 categorie.php catid Remote SQL Injection Vulnerability | | Bug found by cOndemned | | | | Script site : http://www.4yoursite.nl/scriptfaqmanager.php | | | | Greetz: ZaBeaTy, str0ke,...

mystats-multi.txt

myStats hits.php Multiple Remote Vulnerabilities Exploit url: http://mywebland.com/ Author: JosS mail: sys-projectathotmaildotcom site: http://spanish-hackers.com team: Spanish Hackers Team - SHT This was written for educational purpose. Use it at your own risk. Author will be not responsible for...

mystats - hits.php Multiple Vulnerabilities

mystats - hits.php Multiple Vulnerabilities myStats hits.php Multiple Remote Vulnerabilities Exploit url: http://mywebland.com/ Author: JosS mail: sys-projectathotmaildotcom site: http://spanish-hackers.com team: Spanish Hackers Team - SHT This was written for educational purpose. Use it at your...

myStats (hits.php) Multiple Remote Vulnerabilities Exploit

Exploit for unknown platform in category web applications ========================================================== myStats hits.php Multiple Remote Vulnerabilities Exploit ========================================================== myStats hits.php Multiple Remote Vulnerabilities Exploit url:...

ktools-sql.txt

'/ -.- -------------------------oOO------OOo------------------------- | Ktools Photostore = v3.5.2 crumbs.php Remote SQL Injection | | works only with magic quotes = off | | coded by DNX | ----------------------------------------------------------------- ! Discovered.: DNX ! Vendor.....:...

auracms-blindsql.txt

!/usr/bin/perl -w Indonesian Newhack Security Advisory ------------------------------------ AuraCMS 2.x online.php - Remote Blind SQL Injection Exploit Waktu : Feb 15 2008 01:00PM Software : AuraCMS Versi : 2.0 2.1 2.2.1 Vendor : http://www.auracms.org/ ------------------------------------ Audit...

Battle.net Clan Script for PHP 1.5.1 - SQL Injection

Battle.net Clan Script for PHP 1.5.1 - SQL Injection script : Battle.net Clan Script 1.5 file : login.php attack : injection sql auteur : h a c k e r X code : ------------------------------------------------------------------------------------------ line 9 -- $user = $POST'user'; line 10-- $pass ...

ig shop 1.0 - Code Execution SQL Injection

ig shop 1.0 - Code Execution SQL Injection "If eval is the answer, then you are asking the wrong question." --Unknowen ig-shop suffers from two eval's that can be controlled by an attacker: http://127.0.0.1/igshop/cart.php?action=;phpinfo;// ./cart.php line 692: eval "cart$action;";...

Query: BID 6273: PortailPhp SQL Injection Vulnerability.

Hi, Posting on vuln-dev too since this has a generic PHP-MySQL SQL Injection Vuln question as well. I was working on this vulnerability. I came across the following advisory on SecurityFocus-BugTraq: http://online.securityfocus.com/archive/1/301572 I find that Php's mysqlquery only allows one SQL...