๐Ÿ” CVE Alert

CVE-2025-44203

HIGH 7.5
CVSS Score
7.5
EPSS Score
0.5%
EPSS Percentile
42th

In HotelDruid 3.0.0 and 3.0.7, the unauthenticated database-setup endpoint creadb.php can be reached before setup is completed and performs database creation without locking. By sending many concurrent requests, an attacker can trigger a race condition during which verbose SQL error messages disclose the administrator username, password hash, and salt. The same race leaves the setup partially initialized, so the administrator can no longer log in with the credentials set during installation, resulting in a denial of service that requires reinstallation to recover. Remote exploitation additionally requires the installation to allow non-localhost access. The vulnerability was fixed in version 3.0.8.

Vendor n/a
Product n/a
Published Jun 20, 2025
Last Updated Jul 9, 2026
Stay Ahead of the Next One

Get instant alerts for n/a n/a

Be the first to know when new high vulnerabilities affecting n/a n/a are published โ€” delivered to Slack, Telegram or Discord.

Get Free Alerts โ†’ Free ยท No credit card ยท 60 sec setup

Affected Versions

n/a / n/a
n/a

References

NVD โ†— CVE.org โ†— EPSS Data โ†—
hoteldruid.com: https://www.hoteldruid.com/ github.com: https://github.com/IvanT7D3/CVE-2025-44203/tree/main