Hotels_Server through 2018-11-05 has SQL Injection via the controller/fetchpwd.php username parameter. Rated critical severity (CVSS 9.8), this vulnerability is remotely exploitable, no authentication required, low attack complexity. Public exploit code available and no vendor patch available.
SQLi
PHP
Hotels Server
NVD
GitHub
CVSS 3.0
9.8
EPSS
1.0%