What is the CVSS score of CVE-2026-31071?

CVE-2026-31071 has a CVSS 3.1 base score of 9.1 (Critical). CVSS vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:N. EPSS exploitation probability: 0.1%.

Which versions of Pharmacy Management System are affected by CVE-2026-31071?

The LalanaChami Pharmacy Management System (commit 5c3d028) contains a critical authentication bypass allowing unrestricted remote access to all patient medical records, user credentials with bcrypt…

Is there a public PoC exploit available for CVE-2026-31071?

Yes, a public proof-of-concept exploit is available for CVE-2026-31071. Prioritise patching immediately. EPSS: 0.1%.

Pharmacy Management System CVE-2026-31071

EUVD-2026-30949 CRITICAL

Missing Authentication for Critical Function (CWE-306)

2026-05-19 mitre

GHSA-jhhm-w7f7-gvp5

Authentication Bypass N A

9.1

CVSS 3.1

CVSS VectorNVD

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:N

Attack Vector

Network

Attack Complexity

Low

Privileges Required

None

User Interaction

None

Scope

Unchanged

Confidentiality

High

Integrity

High

Availability

None

Lifecycle Timeline

Analysis Generated

May 20, 2026 - 14:23 vuln.today

CVSS changed

May 20, 2026 - 14:22 NVD

9.1 (CRITICAL)

CVE Published

May 19, 2026 - 00:00 nvd

UNKNOWN (no severity yet)

DescriptionNVD

API endpoints in LalanaChami Pharmacy Management System (commit 5c3d028) lack authentication middleware. Unauthenticated remote attackers can exploit this to dump all user records (including bcrypt password hashes) via /api/user/getUserData, modify drug inventory, and access private medical prescription data via /api/doctorOder.

AnalysisAI

Unauthenticated API access in LalanaChami Pharmacy Management System (commit 5c3d028) allows remote attackers to dump all user records including bcrypt password hashes, tamper with drug inventory, and read private medical prescription data. The flaw stems from missing authentication middleware on backend Express routes such as /api/user/getUserData and /api/doctorOder. …

RemediationAI

WITHIN 24 HOURS: Isolate LalanaChami instances from external networks or take offline; audit logs for API calls to /api/user/getUserData and /api/doctorOder endpoints for past 90 days; notify incident response, legal, and healthcare compliance teams. WITHIN 7 DAYS: Complete forensic analysis to determine scope of unauthorized access; reset all system user credentials; escalate to LalanaChami vendor for patch timeline and workaround options. …

Analysis

Detailed AI-generated intelligence summary covering attack vector, impact assessment, affected versions, remediation steps, and indicators of compromise.

POChttps://••••••••••.com/exploit

PATCHhttps://••••••••••.com/patch

ADVISORYhttps://••••••••••.com/advisory

Full analysis requires sign-in

Get intelligence summaries, risk assessment, exploit details, threat intel, and remediation guidance.

CVE-2026-31071 vulnerability details – vuln.today

Back

Pharmacy Management System CVE-2026-31071

CVSS VectorNVD

Lifecycle Timeline

DescriptionNVD

AnalysisAI

RemediationAI

Full analysis requires sign-in

Share

External POC / Exploit Code