CVE-2026-31071
published 2026-05-19CVE-2026-31071: API endpoints in LalanaChami Pharmacy Management System (commit 5c3d028) lack authentication middleware. Unauthenticated remote attackers can exploit this to…
PriorityP270critical9.1CVSS 3.1
AVNACLPRNUINSUCHIHAN
EPSS
0.55%
41.5th percentile
API endpoints in LalanaChami Pharmacy Management System (commit 5c3d028) lack authentication middleware. Unauthenticated remote attackers can exploit this to dump all user records (including bcrypt password hashes) via /api/user/getUserData, modify drug inventory, and access private medical prescription data via /api/doctorOder.
Stop checking back — get the weekly exploitation signal.
Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.
GHSA
GHSA-jhhm-w7f7-gvp5: API endpoints in LalanaChami Pharmacy Management System (commit 5c3d028) lack authentication middleware
ghsa_unreviewed·2026-05-19
CVE-2026-31071 [CRITICAL] CWE-306 GHSA-jhhm-w7f7-gvp5: API endpoints in LalanaChami Pharmacy Management System (commit 5c3d028) lack authentication middleware
API endpoints in LalanaChami Pharmacy Management System (commit 5c3d028) lack authentication middleware. Unauthenticated remote attackers can exploit this to dump all user records (including bcrypt password hashes) via /api/user/getUserData, modify drug inventory, and access private medical prescription data via /api/doctorOder.
VulDB
LalanaChami Pharmacy Management System API Endpoint /api/user/getUserData weak password hash
vuldb·2026-05-19
CVE-2026-31071 [LOW] LalanaChami Pharmacy Management System API Endpoint /api/user/getUserData weak password hash
A vulnerability classified as problematic was found in LalanaChami Pharmacy Management System. The affected element is an unknown function of the file /api/user/getUserData of the component API Endpoint. Such manipulation leads to password hash with insufficient computational effort.
This vulnerability is referenced as CVE-2026-31071. It is possible to launch the attack remotely. No exploit is available.
No detection rules found.
No public exploits indexed.
No writeups or analysis indexed.
2026-05-19
Published