Skip to main content

PicoTronica e-Clinic Healthcare System ECHS CVE-2026-8033

| EUVDEUVD-2026-28206 MEDIUM
Information Exposure (CWE-200)
2026-05-06 VulDB
5.5
CVSS 4.0 · NVD
Share

Severity by source

NVD PRIMARY
5.5 MEDIUM
CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:L/VI:N/VA:N/SC:N/SI:N/SA:N/E:P/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X

Primary rating from NVD · only source for this CVE.

CVSS VectorNVD

CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:L/VI:N/VA:N/SC:N/SI:N/SA:N/E:P/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
Attack Vector
Network
Attack Complexity
Low
Privileges Required
None
User Interaction
None
Scope
X

Lifecycle Timeline

3
CVSS changed
May 06, 2026 - 20:22 NVD
5.3 (MEDIUM) 5.5 (MEDIUM)
Analysis Generated
May 06, 2026 - 20:00 vuln.today
CVE Published
May 06, 2026 - 19:30 nvd
MEDIUM 5.3

DescriptionCVE.org

A vulnerability has been found in PicoTronica e-Clinic Healthcare System ECHS 5.7. This affects an unknown function of the file /cdemos/echs/api/v2/ of the component Response Header Handler. Such manipulation leads to information disclosure. The attack may be performed from remote. The exploit has been disclosed to the public and may be used. Upgrading to version 5.7.1 mitigates this issue. It is suggested to upgrade the affected component. The vendor was contacted early, responded in a very professional manner and quickly released a fixed version of the affected product.

AnalysisAI

Information disclosure in PicoTronica e-Clinic Healthcare System ECHS 5.7 allows remote unauthenticated attackers to extract sensitive data via the Response Header Handler in the /cdemos/echs/api/v2/ endpoint. The vulnerability has been publicly disclosed with exploit code available, and a patch (version 5.7.1) has been released by the vendor.

Technical ContextAI

The vulnerability resides in the Response Header Handler component of the ECHS API v2 endpoint. The root cause is classified under CWE-200 (Exposure of Sensitive Information to an Unauthorized Actor), indicating improper handling or filtering of sensitive data in HTTP response headers. The affected component processes API requests to /cdemos/echs/api/v2/ and fails to properly restrict information disclosure through response headers, allowing remote attackers without authentication to observe or extract confidential data that should not be exposed.

RemediationAI

Upgrade PicoTronica e-Clinic Healthcare System ECHS immediately to version 5.7.1 or later, which includes the vendor-released patch. The vendor has confirmed a professional and rapid response with a fixed version available. Organizations unable to upgrade immediately should restrict network access to the /cdemos/echs/api/v2/ endpoint using a Web Application Firewall (WAF) or network-layer controls, limiting exposure to trusted administrative networks only. Disable or restrict the Response Header Handler component if it is optional and not required for operational use. Monitor HTTP response headers from the affected endpoint for evidence of information disclosure and review access logs for unauthorized API calls to this endpoint.

Share

CVE-2026-8033 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy