HotelDruid 3.0.7 weak password flaw (CVE-2025-25749) allows short, common, and reused passwords, exposing accounts to brute force.

HotelDruid 3.0.7 CSRF (CVE-2025-25748) lets attackers change passwords via malicious links, risking account takeover.

HotelDruid 3.0.7 Reflected XSS (CVE-2025-25747) allows injecting JavaScript via ripristina_backup, risking session hijacking & phishing.

Multiple security vulnerabilities have been identified in HotelDruid 3.0.7, including Reflected Cross-Site Scripting (CVE-2025-25747), Cross