Skip to main content

Offline Hospital Management System CVE-2026-26462

| EUVDEUVD-2026-30773 HIGH
Improper Neutralization of Special Elements used in an Expression Language Statement (CWE-917)
2026-05-18 mitre GHSA-53vh-ccq9-xwq5
7.3
CVSS 3.1 · NVD
Share

Severity by source

NVD PRIMARY
7.3 HIGH
AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:L

Primary rating from NVD · only source for this CVE.

CVSS VectorNVD

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:L
Attack Vector
Network
Attack Complexity
Low
Privileges Required
None
User Interaction
None
Scope
Unchanged
Confidentiality
Low
Integrity
Low
Availability
Low

Lifecycle Timeline

3
Analysis Generated
May 19, 2026 - 14:22 vuln.today
CVSS changed
May 19, 2026 - 14:22 NVD
7.3 (HIGH)
CVE Published
May 18, 2026 - 00:00 nvd
UNKNOWN (no severity yet)

DescriptionCVE.org

Offline Hospital Management System 5.3.0 allows remote code execution due to an improper Electron renderer configuration. The application enables Node.js integration while disabling context isolation, allowing JavaScript executed in the renderer process to access Node.js APIs and execute arbitrary operating system commands.

AnalysisAI

Remote code execution in Offline Hospital Management System 5.3.0 stems from an insecure Electron renderer configuration where Node.js integration is enabled while context isolation is disabled, allowing JavaScript in the renderer to invoke Node.js APIs and run arbitrary OS commands. The flaw carries a CVSS 7.3 with network attack vector and no privileges required, though EPSS is low at 0.06% and no public exploit identified at time of analysis beyond a Medium write-up describing the technique.

Technical ContextAI

The affected software is a SourceForge-distributed Electron desktop application for hospital management. Electron applications run a Chromium-based renderer process that, by default in modern releases, should isolate web content from Node.js to follow the principle of least privilege. In this build the BrowserWindow is configured with nodeIntegration:true and contextIsolation:false, which exposes the full Node.js require() surface (including the child_process module) directly to any JavaScript executing in the renderer. This is the root cause class typically tracked as CWE-1188 (Insecure Default Initialization of Resource) or CWE-94 (Improper Control of Generation of Code). The CPE entry is generic (cpe:2.3:a:n/a:n/a:*) reflecting that MITRE has not yet assigned a vendor/product CPE for this SourceForge project.

RemediationAI

No vendor-released patch identified at time of analysis; the SourceForge project page is the canonical distribution point and no fixed release is referenced in the advisory data. Compensating controls focus on the Electron security model: rebuild the application setting contextIsolation:true and nodeIntegration:false in every BrowserWindow webPreferences, expose only narrow, audited APIs via a contextBridge preload script, and enable sandbox:true where feasible (side effect: any existing renderer code that calls require() directly must be refactored to use the preload bridge). As deployment-side mitigations until a fixed build is released, restrict the application to trusted local data only, avoid pasting or rendering untrusted external content within the app, block the application from loading remote HTTP(S) resources via host firewall or HOSTS file, and consider running it inside a least-privilege OS user account or sandbox to bound post-exploit impact. Track the NVD page https://nvd.nist.gov/vuln/detail/CVE-2026-26462 and VulDB entry https://vuldb.com/vuln/364476 for an official fix.

CVE-2024-55591 CRITICAL POC
9.8 Jan 14

FortiOS and FortiProxy contain an authentication bypass via the Node.js websocket module allowing unauthenticated remote

CVE-2014-7205 CRITICAL POC
10.0 Oct 08

Eval injection vulnerability in the internals.batch function in lib/batch.js in the bassmaster plugin before 1.5.2 for t

CVE-2025-59528 CRITICAL POC
10.0 Sep 22

Flowise version 3.0.5 contains a remote code execution vulnerability in the CustomMCP node. The mcpServerConfig paramete

CVE-2017-14849 HIGH POC
7.5 Sep 28

Node.js 8.5.0 before 8.6.0 allows remote attackers to access unintended files, because a change to ".." handling was inc

CVE-2017-5941 CRITICAL POC
9.8 Feb 09

An issue was discovered in the node-serialize package 0.0.4 for Node.js. Rated critical severity (CVSS 9.8), this vulner

CVE-2014-3744 HIGH POC
7.5 Oct 23

Directory traversal vulnerability in the st module before 0.2.5 for Node.js allows remote attackers to read arbitrary fi

CVE-2014-9566 HIGH POC
7.5 Mar 10

Multiple SQL injection vulnerabilities in the Manage Accounts page in the AccountManagement.asmx service in the Solarwin

CVE-2013-4660 MEDIUM POC
6.8 Jun 28

The JS-YAML module before 2.0.5 for Node.js parses input without properly considering the unsafe !!js/function tag, whic

CVE-2015-5688 MEDIUM POC
5.0 Sep 04

Directory traversal vulnerability in lib/app/index.js in Geddy before 13.0.8 for Node.js allows remote attackers to read

CVE-2026-45321 CRITICAL POC
9.6 May 12

Credential-harvesting malware compromised 84 versions of 42 TanStack npm packages on 2026-05-11 via chained GitHub Actio

CVE-2014-7192 CRITICAL POC
10.0 Dec 11

Eval injection vulnerability in index.js in the syntax-error package before 1.1.1 for Node.js 0.10.x, as used in IBM Rat

CVE-2013-4450 MEDIUM POC
5.0 Oct 21

The HTTP server in Node.js 0.10.x before 0.10.21 and 0.8.x before 0.8.26 allows remote attackers to cause a denial of se

Share

CVE-2026-26462 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy