Severity by source
AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
Primary rating from NVD · only source for this CVE.
CVSS VectorNVD
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
Lifecycle Timeline
3DescriptionCVE.org
The LalanaChami Pharmacy Management System (commit 5c3d028) allows unauthenticated remote attackers to escalate privileges by self-assigning an administrative role during registration. The /api/user/signup endpoint fails to validate the role parameter in the request body
AnalysisAI
Privilege escalation in LalanaChami Pharmacy Management System (commit 5c3d028) allows any remote unauthenticated attacker to register a new account with administrator privileges by simply including a role parameter in the signup request body. The /api/user/signup endpoint trusts client-supplied role values without server-side validation, granting full administrative access in a single HTTP call. No public exploit identified at time of analysis, and EPSS is very low (0.04%), but the trivial nature of the flaw means weaponization is straightforward once anyone notices the gist already documenting the issue.
Technical ContextAI
The affected software is a Node.js/Express-based pharmacy application maintained on GitHub under LalanaChami/Pharmacy-Mangment-System. The vulnerability falls under CWE-269 (Improper Privilege Management): the signup route handler in backend/routes/user.js accepts the request body verbatim and persists whatever role string the client supplies, rather than forcing newly registered users to a default low-privilege role and gating administrative roles behind an authenticated, authorized provisioning flow. This is a classic mass-assignment / parameter tampering issue where the server-side data model exposes a privileged attribute to an untrusted input boundary.
RemediationAI
No vendor-released patch identified at time of analysis - the project does not appear to have published a tagged fix release. Operators should immediately modify backend/routes/user.js to strip or ignore any client-supplied role field on the /api/user/signup endpoint and force newly created accounts to a hardcoded non-privileged default role, with administrative role assignment handled only by an authenticated admin via a separate endpoint with proper authorization checks. As compensating controls until code is patched: place the signup endpoint behind an authenticated reverse-proxy ACL or remove the endpoint entirely if self-registration is not required (side effect: blocks all new user onboarding), or add a WAF/middleware rule that rejects POSTs to /api/user/signup containing a 'role' key in the JSON body (side effect: may break legitimate clients if they ever needed to send role data, though they should not). Audit the user table for any accounts created with administrative roles since deployment and revoke or delete unauthorized admins. Reference advisories: https://nvd.nist.gov/vuln/detail/CVE-2026-31070 and the disclosure gist https://gist.github.com/nedlir/22bf6d1a3a07209be3e343744bc81d51.
Remote code execution in APScheduler (all versions through 3.10.x and 4.0.0a5) is achievable when applications deseriali
Unauthenticated remote OS command injection in MeiG Smart FORGE_SLT711 cellular gateway firmware MDM9607.LE.1.0-00110-ST
Unauthenticated API access in LalanaChami Pharmacy Management System (commit 5c3d028) allows remote attackers to dump al
In Citrix Cloud through 2025-11-10, an account with read-only access can trigger the beginning of a workflow for write o
Giflib 5.2.2 contains a buffer overflow in the EGifGCBToExtension function that fails to validate allocated memory when
Denial of service in GPAC's MP4Box multimedia tool (versions before 26.02.0) arises from a use-after-free in the gf_sei_
Arbitrary kernel memory read/write in Realtek rtl819x Jungle SDK Wi-Fi driver allows local unprivileged attackers to acc
Denial of service in GPAC's MP4Box/libgpac media importer (versions before 26.02.0) lets an attacker crash the tool by s
An issue in the parse_month function (/time/strptime.rs) of relibc commit ab6a2e allows attackers to cause a Denial of S
Denial of service in relibc (the Redox OS C standard library) at commit 61f42d allows attackers to crash a process by ge
An issue in the pthread_rwlockattr_setpshared() function of relibc commit 61f42d allows attackers to cause a Denial of S
Denial of service in relibc (the Redox OS C standard library implementation, commit 61f42d) lets attackers crash a proce
Same weakness CWE-269 – Improper Privilege Management
View allSame technique Privilege Escalation
View allShare
External POC / Exploit Code
Leaving vuln.today
EUVD-2026-30945
GHSA-qg5w-7c3j-rfjc