Severity by source
AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:L
Primary rating from NVD · only source for this CVE.
CVSS VectorNVD
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:L
Lifecycle Timeline
3DescriptionCVE.org
Offline Hospital Management System 5.3.0 allows remote code execution due to an improper Electron renderer configuration. The application enables Node.js integration while disabling context isolation, allowing JavaScript executed in the renderer process to access Node.js APIs and execute arbitrary operating system commands.
AnalysisAI
Remote code execution in Offline Hospital Management System 5.3.0 stems from an insecure Electron renderer configuration where Node.js integration is enabled while context isolation is disabled, allowing JavaScript in the renderer to invoke Node.js APIs and run arbitrary OS commands. The flaw carries a CVSS 7.3 with network attack vector and no privileges required, though EPSS is low at 0.06% and no public exploit identified at time of analysis beyond a Medium write-up describing the technique.
Technical ContextAI
The affected software is a SourceForge-distributed Electron desktop application for hospital management. Electron applications run a Chromium-based renderer process that, by default in modern releases, should isolate web content from Node.js to follow the principle of least privilege. In this build the BrowserWindow is configured with nodeIntegration:true and contextIsolation:false, which exposes the full Node.js require() surface (including the child_process module) directly to any JavaScript executing in the renderer. This is the root cause class typically tracked as CWE-1188 (Insecure Default Initialization of Resource) or CWE-94 (Improper Control of Generation of Code). The CPE entry is generic (cpe:2.3:a:n/a:n/a:*) reflecting that MITRE has not yet assigned a vendor/product CPE for this SourceForge project.
RemediationAI
No vendor-released patch identified at time of analysis; the SourceForge project page is the canonical distribution point and no fixed release is referenced in the advisory data. Compensating controls focus on the Electron security model: rebuild the application setting contextIsolation:true and nodeIntegration:false in every BrowserWindow webPreferences, expose only narrow, audited APIs via a contextBridge preload script, and enable sandbox:true where feasible (side effect: any existing renderer code that calls require() directly must be refactored to use the preload bridge). As deployment-side mitigations until a fixed build is released, restrict the application to trusted local data only, avoid pasting or rendering untrusted external content within the app, block the application from loading remote HTTP(S) resources via host firewall or HOSTS file, and consider running it inside a least-privilege OS user account or sandbox to bound post-exploit impact. Track the NVD page https://nvd.nist.gov/vuln/detail/CVE-2026-26462 and VulDB entry https://vuldb.com/vuln/364476 for an official fix.
FortiOS and FortiProxy contain an authentication bypass via the Node.js websocket module allowing unauthenticated remote
Eval injection vulnerability in the internals.batch function in lib/batch.js in the bassmaster plugin before 1.5.2 for t
Flowise version 3.0.5 contains a remote code execution vulnerability in the CustomMCP node. The mcpServerConfig paramete
Node.js 8.5.0 before 8.6.0 allows remote attackers to access unintended files, because a change to ".." handling was inc
An issue was discovered in the node-serialize package 0.0.4 for Node.js. Rated critical severity (CVSS 9.8), this vulner
Directory traversal vulnerability in the st module before 0.2.5 for Node.js allows remote attackers to read arbitrary fi
Multiple SQL injection vulnerabilities in the Manage Accounts page in the AccountManagement.asmx service in the Solarwin
The JS-YAML module before 2.0.5 for Node.js parses input without properly considering the unsafe !!js/function tag, whic
Directory traversal vulnerability in lib/app/index.js in Geddy before 13.0.8 for Node.js allows remote attackers to read
Credential-harvesting malware compromised 84 versions of 42 TanStack npm packages on 2026-05-11 via chained GitHub Actio
Eval injection vulnerability in index.js in the syntax-error package before 1.1.1 for Node.js 0.10.x, as used in IBM Rat
The HTTP server in Node.js 0.10.x before 0.10.21 and 0.8.x before 0.8.26 allows remote attackers to cause a denial of se
Share
External POC / Exploit Code
Leaving vuln.today
EUVD-2026-30773
GHSA-53vh-ccq9-xwq5