Severity: Critical
CVSS Score: 9.8
The admin terminal in Hawt.io does not require authentication, which allows remote attackers to execute arbitrary commands via the k parameter.