CVE Catalog

CVE-2026-31070

Critical
Published: Translated: NVD NIST

Summary

The LalanaChami Pharmacy Management System (commit 5c3d028) allows unauthenticated remote attackers to escalate privileges by self-assigning an administrative role during registration. The /api/user/signup endpoint fails to validate the role parameter in the request body.

Risk Assessment

Attackers could gain access to administrative functions of the system, potentially leading to serious data breaches and disruptions in pharmacy operations.

Recommendation

It is recommended to implement validation of the role parameter in the registration endpoint to prevent unauthorized role assignments.

Original NVD description (English source)

The LalanaChami Pharmacy Management System (commit 5c3d028) allows unauthenticated remote attackers to escalate privileges by self-assigning an administrative role during registration. The /api/user/signup endpoint fails to validate the role parameter in the request body

Vulnerability data from NVD (NIST) · CISA KEV · EPSS