Skip to main content

Pharmacy Management System CVE-2026-31070

| EUVDEUVD-2026-30945 CRITICAL
Improper Privilege Management (CWE-269)
2026-05-19 mitre GHSA-qg5w-7c3j-rfjc
9.8
CVSS 3.1 · NVD
Share

Severity by source

NVD PRIMARY
9.8 CRITICAL
AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

Primary rating from NVD · only source for this CVE.

CVSS VectorNVD

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
Attack Vector
Network
Attack Complexity
Low
Privileges Required
None
User Interaction
None
Scope
Unchanged
Confidentiality
High
Integrity
High
Availability
High

Lifecycle Timeline

3
Analysis Generated
May 20, 2026 - 14:23 vuln.today
CVSS changed
May 20, 2026 - 14:22 NVD
9.8 (CRITICAL)
CVE Published
May 19, 2026 - 00:00 nvd
UNKNOWN (no severity yet)

DescriptionCVE.org

The LalanaChami Pharmacy Management System (commit 5c3d028) allows unauthenticated remote attackers to escalate privileges by self-assigning an administrative role during registration. The /api/user/signup endpoint fails to validate the role parameter in the request body

AnalysisAI

Privilege escalation in LalanaChami Pharmacy Management System (commit 5c3d028) allows any remote unauthenticated attacker to register a new account with administrator privileges by simply including a role parameter in the signup request body. The /api/user/signup endpoint trusts client-supplied role values without server-side validation, granting full administrative access in a single HTTP call. No public exploit identified at time of analysis, and EPSS is very low (0.04%), but the trivial nature of the flaw means weaponization is straightforward once anyone notices the gist already documenting the issue.

Technical ContextAI

The affected software is a Node.js/Express-based pharmacy application maintained on GitHub under LalanaChami/Pharmacy-Mangment-System. The vulnerability falls under CWE-269 (Improper Privilege Management): the signup route handler in backend/routes/user.js accepts the request body verbatim and persists whatever role string the client supplies, rather than forcing newly registered users to a default low-privilege role and gating administrative roles behind an authenticated, authorized provisioning flow. This is a classic mass-assignment / parameter tampering issue where the server-side data model exposes a privileged attribute to an untrusted input boundary.

RemediationAI

No vendor-released patch identified at time of analysis - the project does not appear to have published a tagged fix release. Operators should immediately modify backend/routes/user.js to strip or ignore any client-supplied role field on the /api/user/signup endpoint and force newly created accounts to a hardcoded non-privileged default role, with administrative role assignment handled only by an authenticated admin via a separate endpoint with proper authorization checks. As compensating controls until code is patched: place the signup endpoint behind an authenticated reverse-proxy ACL or remove the endpoint entirely if self-registration is not required (side effect: blocks all new user onboarding), or add a WAF/middleware rule that rejects POSTs to /api/user/signup containing a 'role' key in the JSON body (side effect: may break legitimate clients if they ever needed to send role data, though they should not). Audit the user table for any accounts created with administrative roles since deployment and revoke or delete unauthorized admins. Reference advisories: https://nvd.nist.gov/vuln/detail/CVE-2026-31070 and the disclosure gist https://gist.github.com/nedlir/22bf6d1a3a07209be3e343744bc81d51.

More in N A

View all
CVE-2026-31072 CRITICAL POC
9.8 May 19

Remote code execution in APScheduler (all versions through 3.10.x and 4.0.0a5) is achievable when applications deseriali

CVE-2026-36356 CRITICAL POC
9.1 May 05

Unauthenticated remote OS command injection in MeiG Smart FORGE_SLT711 cellular gateway firmware MDM9607.LE.1.0-00110-ST

CVE-2026-31071 CRITICAL POC
9.1 May 19

Unauthenticated API access in LalanaChami Pharmacy Management System (commit 5c3d028) allows remote attackers to dump al

CVE-2025-66391 HIGH POC
8.8 Jun 17

In Citrix Cloud through 2025-11-10, an account with read-only access can trigger the beginning of a workflow for write o

CVE-2026-26740 HIGH POC
8.2 Mar 18

Giflib 5.2.2 contains a buffer overflow in the EGifGCBToExtension function that fails to validate allocated memory when

CVE-2025-60464 HIGH POC
7.8 Jun 25

Denial of service in GPAC's MP4Box multimedia tool (versions before 26.02.0) arises from a use-after-free in the gf_sei_

CVE-2026-36355 HIGH POC
7.7 May 05

Arbitrary kernel memory read/write in Realtek rtl819x Jungle SDK Wi-Fi driver allows local unprivileged attackers to acc

CVE-2025-60474 HIGH POC
7.5 Jun 24

Denial of service in GPAC's MP4Box/libgpac media importer (versions before 26.02.0) lets an attacker crash the tool by s

CVE-2026-38639 HIGH POC
7.5 Jun 26

An issue in the parse_month function (/time/strptime.rs) of relibc commit ab6a2e allows attackers to cause a Denial of S

CVE-2026-38641 HIGH POC
7.5 Jun 26

Denial of service in relibc (the Redox OS C standard library) at commit 61f42d allows attackers to crash a process by ge

CVE-2026-38637 HIGH POC
7.5 Jun 25

An issue in the pthread_rwlockattr_setpshared() function of relibc commit 61f42d allows attackers to cause a Denial of S

CVE-2026-38640 HIGH POC
7.5 Jun 25

Denial of service in relibc (the Redox OS C standard library implementation, commit 61f42d) lets attackers crash a proce

Share

CVE-2026-31070 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy