CVE-2025-55816
MEDIUMHotelDruid < 3.0.7 - Cross-Site Scripting in /modifica_app.php
Title source: llmExploitation Summary
EIP tracks 1 public exploit for CVE-2025-55816. PoCs published by partywavesec.
AI-analyzed exploit summary This repository provides a detailed writeup for CVE-2025-55816, a stored XSS vulnerability in HotelDruid 3.0.7. The vulnerability allows an attacker to inject malicious JavaScript via the 'New Photo Url' feature due to insufficient input validation.
Description
HotelDruid v3.0.7 and before is vulnerable to Cross Site Scripting (XSS) in the /modifica_app.php file.
Exploits (1)
nomisec
WRITEUP
by partywavesec · poc
https://github.com/partywavesec/CVE-2025-55816
This repository provides a detailed writeup for CVE-2025-55816, a stored XSS vulnerability in HotelDruid 3.0.7. The vulnerability allows an attacker to inject malicious JavaScript via the 'New Photo Url' feature due to insufficient input validation.
Classification
Writeup 90%
Attack Type
Xss
Complexity
Trivial
Reliability
Reliable
Target:
HotelDruid <= 3.0.7
Auth required
Prerequisites:
Access to the application with sufficient privileges to modify apartment details
MITRE ATT&CK
devstral-2 · analyzed Feb 16, 2026
Full analysis →
References (2)
Core 2
Core References
Product
https://www.hoteldruid.com/en/
Exploit, Third Party Advisory
https://www.partywave.site/show/research/cve-2025-55816-xss-and-raptx
Scores
CVSS v3
6.1
EPSS
0.0022
EPSS Percentile
13.0%
Attack Vector
NETWORK
CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N
CISA SSVC
Vulnrichment
Exploitation
poc
Automatable
no
Technical Impact
partial
Details
CWE
CWE-79
Status
published
Products (1)
digitaldruid/hoteldruid
< 3.0.7
Published
Dec 11, 2025
Tracked Since
Feb 18, 2026