CVE-2026-31071

9.1 CRITICAL

Published: May 19, 2026 Modified: May 20, 2026

Description

API endpoints in LalanaChami Pharmacy Management System (commit 5c3d028) lack authentication middleware. Unauthenticated remote attackers can exploit this to dump all user records (including bcrypt password hashes) via /api/user/getUserData, modify drug inventory, and access private medical prescription data via /api/doctorOder.

AI Explanation

Get an AI-powered plain-language explanation of this vulnerability and remediation steps.

Login to generate AI explanation

CVSS v3.x Details

0.0 Low Medium High Critical 10.0

Vector String

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:N

References to Advisories, Solutions, and Tools

Patch Vendor Advisory Exploit Third Party Advisory

https://gist.github.com/nedlir/bc8ad4693c53256819280e8f5de49286

Source: cve@mitre.org

https://github.com/LalanaChami/Pharmacy-Mangment-System/tree/5c3d02888631166649856f71d542387114b3010b/backend/routes

Source: cve@mitre.org

https://gist.github.com/nedlir/bc8ad4693c53256819280e8f5de49286

Source: 134c704f-9b21-4f2e-91b3-4a467353bcc0

3 reference(s) from NVD

Quick Stats

CVSS v3 Score

9.1 / 10.0

EPSS (Exploit Probability)

0.1%

23th percentile

Exploitation Status

Not in CISA KEV

Weaknesses (CWE)

CWE-306

Related CVEs

CVE-2026-50100 7.8

CVE-2026-44188 5.3

CVE-2026-11860 N/A

CVE-2026-9278 N/A

CVE-2026-8935 N/A