PT-2026-41944 · Unknown · Lalanachami Pharmacy Management System
Published
2026-05-19
·
Updated
2026-05-20
·
CVE-2026-31071
CVSS v3.1
9.1
Critical
| Vector | AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:N |
Name of the Vulnerable Software and Affected Versions
LalanaChami Pharmacy Management System version 5c3d028
Description
Certain API endpoints lack authentication middleware, allowing unauthenticated remote attackers to access sensitive data and perform unauthorized actions. Specifically, the '/api/user/getUserData' endpoint can be used to dump all user records, including bcrypt password hashes. Additionally, attackers can modify drug inventory and access private medical prescription data through the '/api/doctorOder' endpoint.
Recommendations
Implement authentication middleware for the '/api/user/getUserData' and '/api/doctorOder' endpoints to prevent unauthorized access.
Exploit
Fix
Missing Authentication
Found an issue in the description? Have something to add? Feel free to write us 👾
Weakness Enumeration
Related Identifiers
Affected Products
Lalanachami Pharmacy Management System