Which versions of PHP are affected by CVE-2026-6602?

rickxy Hospital Management System contains an unauthenticated file upload vulnerability (CVE-2026-6602) that allows attackers to upload malicious files and execute code on hospital infrastructure.

Is there a public PoC exploit available for CVE-2026-6602?

Yes, a public proof-of-concept exploit is available for CVE-2026-6602. Prioritise patching immediately. EPSS: 0.0%.

PHP CVE-2026-6602

Q: What is the CVSS score of CVE-2026-6602?

CVE-2026-6602 has a CVSS 4.0 base score of 5.5 (Medium). CVSS vector: CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:L/VI:L/VA:L/SC:N/SI:N/SA:N/E:P/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X. EPSS exploitation probability: 0.0%.

EUVD-2026-23768 MEDIUM

Unrestricted Upload of File with Dangerous Type (CWE-434)

2026-04-20 VulDB

PHP File Upload

5.5

CVSS 4.0

CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:L/VI:L/VA:L/SC:N/SI:N/SA:N/E:P/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X

Attack Vector

Network

Attack Complexity

Low

Privileges Required

None

User Interaction

None

Scope

Lifecycle Timeline

CVSS changed

Apr 29, 2026 - 01:12 NVD

6.9 (MEDIUM) 5.5 (MEDIUM)

PoC Detected

Apr 29, 2026 - 01:00 vuln.today

Public exploit code

Severity Changed

Apr 20, 2026 - 04:22 NVD

HIGH MEDIUM

CVSS changed

Apr 20, 2026 - 04:22 NVD

7.3 (HIGH) 6.9 (MEDIUM)

Analysis Generated

Apr 20, 2026 - 04:10 vuln.today

EUVD ID Assigned

Apr 20, 2026 - 04:00 euvd

EUVD-2026-23768

Analysis Generated

Apr 20, 2026 - 04:00 vuln.today

CVE Published

Apr 20, 2026 - 03:45 nvd

MEDIUM 5.5

DescriptionNVD

A vulnerability was found in rickxy Hospital Management System up to 88a4290d957dc5bdde8a56e5ad451ad14f7f90f4. Affected is an unknown function of the file /backend/admin/his_admin_account.php. The manipulation of the argument ad_dpic results in unrestricted upload. The attack can be executed remotely. The exploit has been made public and could be used. This product implements a rolling release for ongoing delivery, which means version information for affected or updated releases is unavailable.

AnalysisAI

Unrestricted file upload in rickxy Hospital Management System allows remote unauthenticated attackers to upload malicious files via the /backend/admin/his_admin_account.php endpoint, leading to potential remote code execution, data exfiltration, or system compromise. Public exploit code exists (GitHub), significantly lowering exploitation barrier. …

RemediationAI

Within 24 hours: Isolate or restrict network access to rickxy Hospital Management System, particularly the /backend/admin/his_admin_account.php endpoint; review access logs for suspicious file uploads. Within 7 days: Deploy a Web Application Firewall (WAF) rule to block POST requests to the vulnerable endpoint; contact rickxy vendor regarding patch timeline and rolling release versioning; inventory all instances and document versions currently deployed. …

Analysis

Detailed AI-generated intelligence summary covering attack vector, impact assessment, affected versions, remediation steps, and indicators of compromise.

POChttps://••••••••••.com/exploit

PATCHhttps://••••••••••.com/patch

ADVISORYhttps://••••••••••.com/advisory

Full analysis requires sign-in

Get intelligence summaries, risk assessment, exploit details, threat intel, and remediation guidance.

CVE-2026-6602 vulnerability details – vuln.today

Back

PHP CVE-2026-6602

CVSS VectorNVD

Lifecycle Timeline

DescriptionNVD

AnalysisAI

RemediationAI

Analysis

Full analysis requires sign-in

Share

PHP CVE-2026-6602

CVSS VectorNVD

Lifecycle Timeline

DescriptionNVD

AnalysisAI

RemediationAI

Full analysis requires sign-in

Share

External POC / Exploit Code