Severity by source
CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:L/VI:N/VA:N/SC:N/SI:N/SA:N/E:P/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
Primary rating from NVD · only source for this CVE.
CVSS VectorNVD
CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:L/VI:N/VA:N/SC:N/SI:N/SA:N/E:P/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
Lifecycle Timeline
3DescriptionCVE.org
A vulnerability has been found in PicoTronica e-Clinic Healthcare System ECHS 5.7. This affects an unknown function of the file /cdemos/echs/api/v2/ of the component Response Header Handler. Such manipulation leads to information disclosure. The attack may be performed from remote. The exploit has been disclosed to the public and may be used. Upgrading to version 5.7.1 mitigates this issue. It is suggested to upgrade the affected component. The vendor was contacted early, responded in a very professional manner and quickly released a fixed version of the affected product.
AnalysisAI
Information disclosure in PicoTronica e-Clinic Healthcare System ECHS 5.7 allows remote unauthenticated attackers to extract sensitive data via the Response Header Handler in the /cdemos/echs/api/v2/ endpoint. The vulnerability has been publicly disclosed with exploit code available, and a patch (version 5.7.1) has been released by the vendor.
Technical ContextAI
The vulnerability resides in the Response Header Handler component of the ECHS API v2 endpoint. The root cause is classified under CWE-200 (Exposure of Sensitive Information to an Unauthorized Actor), indicating improper handling or filtering of sensitive data in HTTP response headers. The affected component processes API requests to /cdemos/echs/api/v2/ and fails to properly restrict information disclosure through response headers, allowing remote attackers without authentication to observe or extract confidential data that should not be exposed.
RemediationAI
Upgrade PicoTronica e-Clinic Healthcare System ECHS immediately to version 5.7.1 or later, which includes the vendor-released patch. The vendor has confirmed a professional and rapid response with a fixed version available. Organizations unable to upgrade immediately should restrict network access to the /cdemos/echs/api/v2/ endpoint using a Web Application Firewall (WAF) or network-layer controls, limiting exposure to trusted administrative networks only. Disable or restrict the Response Header Handler component if it is optional and not required for operational use. Monitor HTTP response headers from the affected endpoint for evidence of information disclosure and review access logs for unauthorized API calls to this endpoint.
Missing authentication in PicoTronica e-Clinic Healthcare System ECHS 5.7 allows remote unauthenticated attackers to acc
Hard-coded administrative credentials in PicoTronica e-Clinic Healthcare System ECHS 5.7 enable remote attackers to bypa
Same weakness CWE-200 – Information Exposure
View allSame technique Information Disclosure
View allShare
External POC / Exploit Code
Leaving vuln.today
EUVD-2026-28206