Duty Analyst: Joseph McCarthy
← Back to CVE list

CVE-2026-31071

Published: 2026-05-19 16:16:20 | Last modified: 2026-05-20 14:16:41

CRITICAL CVSS 9.1
No EPSS data

Description

API endpoints in LalanaChami Pharmacy Management System (commit 5c3d028) lack authentication middleware. Unauthenticated remote attackers can exploit this to dump all user records (including bcrypt password hashes) via /api/user/getUserData, modify drug inventory, and access private medical prescription data via /api/doctorOder.

CVSS details

Severity
critical
Score
9.1
Vector
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:N

EPSS

This CVE is not currently listed in the EPSS dataset.

Show JSON 
{
    "cve": {
        "id": "CVE-2026-31071",
        "cveTags": [],
        "metrics": {
            "cvssMetricV31": [
                {
                    "type": "Secondary",
                    "source": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
                    "cvssData": {
                        "scope": "UNCHANGED",
                        "version": "3.1",
                        "baseScore": 9.1,
                        "attackVector": "NETWORK",
                        "baseSeverity": "CRITICAL",
                        "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:N",
                        "integrityImpact": "HIGH",
                        "userInteraction": "NONE",
                        "attackComplexity": "LOW",
                        "availabilityImpact": "NONE",
                        "privilegesRequired": "NONE",
                        "confidentialityImpact": "HIGH"
                    },
                    "impactScore": 5.2,
                    "exploitabilityScore": 3.9
                }
            ]
        },
        "published": "2026-05-19T16:16:20.490",
        "references": [
            {
                "url": "https://gist.github.com/nedlir/bc8ad4693c53256819280e8f5de49286",
                "source": "cve@mitre.org"
            },
            {
                "url": "https://github.com/LalanaChami/Pharmacy-Mangment-System/tree/5c3d02888631166649856f71d542387114b3010b/backend/routes",
                "source": "cve@mitre.org"
            },
            {
                "url": "https://gist.github.com/nedlir/bc8ad4693c53256819280e8f5de49286",
                "source": "134c704f-9b21-4f2e-91b3-4a467353bcc0"
            }
        ],
        "vulnStatus": "Deferred",
        "weaknesses": [
            {
                "type": "Secondary",
                "source": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
                "description": [
                    {
                        "lang": "en",
                        "value": "CWE-306"
                    }
                ]
            }
        ],
        "descriptions": [
            {
                "lang": "en",
                "value": "API endpoints in LalanaChami Pharmacy Management System (commit 5c3d028) lack authentication middleware. Unauthenticated remote attackers can exploit this to dump all user records (including bcrypt password hashes) via /api/user/getUserData, modify drug inventory, and access private medical prescription data via /api/doctorOder."
            }
        ],
        "lastModified": "2026-05-20T14:16:40.560",
        "sourceIdentifier": "cve@mitre.org"
    }
}