CVE-2025-44203
In HotelDruid 3.0.0 and 3.0.7, the unauthenticated database-setup endpoint creadb.php can be reached before setup is completed and performs database creation without locking. By sending many concurrent requests, an attacker can trigger a race condition during which verbose SQL error messages disclose the administrator username, password hash, and salt. The same race leaves the setup partially initialized, so the administrator can no longer log in with the credentials set during installation, resulting in a denial of service that requires reinstallation to recover. Remote exploitation additionally requires the installation to allow non-localhost access. The vulnerability was fixed in version 3.0.8.
| Vendor | n/a |
| Product | n/a |
| Published | Jun 20, 2025 |
| Last Updated | Jul 9, 2026 |
Get instant alerts for n/a n/a
Be the first to know when new high vulnerabilities affecting n/a n/a are published โ delivered to Slack, Telegram or Discord.