{"dataType": "CVE_RECORD", "dataVersion": "5.2", "cveMetadata": {"cveId": "CVE-2026-1550", "assignerOrgId": "1af790b2-7ee1-4545-860a-a788eba489b5", "state": "PUBLISHED", "assignerShortName": "VulDB", "dateReserved": "2026-01-28T16:55:20.754Z", "datePublished": "2026-01-28T23:02:10.342Z", "dateUpdated": "2026-02-23T09:03:01.284Z"}, "containers": {"cna": {"providerMetadata": {"orgId": "1af790b2-7ee1-4545-860a-a788eba489b5", "shortName": "VulDB", "dateUpdated": "2026-02-23T09:03:01.284Z"}, "title": "PHPGurukul Hospital Management System Admin Dashboard adminviews.py improper authorization", "problemTypes": [{"descriptions": [{"type": "CWE", "cweId": "CWE-285", "lang": "en", "description": "Improper Authorization"}]}, {"descriptions": [{"type": "CWE", "cweId": "CWE-266", "lang": "en", "description": "Incorrect Privilege Assignment"}]}], "affected": [{"vendor": "PHPGurukul", "product": "Hospital Management System", "versions": [{"version": "1.0", "status": "affected"}], "cpes": ["cpe:2.3:a:phpgurukul:hospital_management_system:*:*:*:*:*:*:*:*"], "modules": ["Admin Dashboard Page"]}], "descriptions": [{"lang": "en", "value": "A security flaw has been discovered in PHPGurukul Hospital Management System 1.0. Affected by this issue is some unknown functionality of the file /hms/hospital/docappsystem/adminviews.py of the component Admin Dashboard Page. Performing a manipulation results in improper authorization. Remote exploitation of the attack is possible. The exploit has been released to the public and may be used for attacks."}], "metrics": [{"cvssV4_0": {"version": "4.0", "baseScore": 5.3, "vectorString": "CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:L/VI:L/VA:L/SC:N/SI:N/SA:N/E:P", "baseSeverity": "MEDIUM"}}, {"cvssV3_1": {"version": "3.1", "baseScore": 6.3, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:L/E:P/RL:X/RC:R", "baseSeverity": "MEDIUM"}}, {"cvssV3_0": {"version": "3.0", "baseScore": 6.3, "vectorString": "CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:L/E:P/RL:X/RC:R", "baseSeverity": "MEDIUM"}}, {"cvssV2_0": {"version": "2.0", "baseScore": 6.5, "vectorString": "AV:N/AC:L/Au:S/C:P/I:P/A:P/E:POC/RL:ND/RC:UR"}}], "timeline": [{"time": "2026-01-28T00:00:00.000Z", "lang": "en", "value": "Advisory disclosed"}, {"time": "2026-01-28T01:00:00.000Z", "lang": "en", "value": "VulDB entry created"}, {"time": "2026-02-09T17:03:04.000Z", "lang": "en", "value": "VulDB entry last update"}], "credits": [{"lang": "en", "value": "hackerfactory (VulDB User)", "type": "reporter"}], "references": [{"url": "https://vuldb.com/?id.343246", "name": "VDB-343246 | PHPGurukul Hospital Management System Admin Dashboard adminviews.py improper authorization", "tags": ["vdb-entry", "technical-description"]}, {"url": "https://vuldb.com/?ctiid.343246", "name": "VDB-343246 | CTI Indicators (IOB, IOC, TTP, IOA)", "tags": ["signature", "permissions-required"]}, {"url": "https://vuldb.com/?submit.739837", "name": "Submit #739837 | PHPGurukul Hospital Management System v1.0 Missing Authorization", "tags": ["third-party-advisory"]}, {"url": "https://github.com/rsecroot/Hospital-Management-System/blob/main/Broken%20Access%20Control.md", "tags": ["exploit"]}, {"url": "https://phpgurukul.com/", "tags": ["product"]}], "tags": ["x_freeware"]}, "adp": [{"metrics": [{"other": {"type": "ssvc", "content": {"timestamp": "2026-01-29T15:58:30.381996Z", "id": "CVE-2026-1550", "options": [{"Exploitation": "none"}, {"Automatable": "no"}, {"Technical Impact": "partial"}], "role": "CISA Coordinator", "version": "2.0.3"}}}], "title": "CISA ADP Vulnrichment", "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2026-01-29T16:53:41.921Z"}}]}}

{"dataType": "CVE_RECORD", "containers": {"adp": [{"title": "CISA ADP Vulnrichment", "metrics": [{"other": {"type": "ssvc", "content": {"id": "CVE-2026-1550", "role": "CISA Coordinator", "options": [{"Exploitation": "none"}, {"Automatable": "no"}, {"Technical Impact": "partial"}], "version": "2.0.3", "timestamp": "2026-01-29T15:58:30.381996Z"}}}], "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2026-01-29T15:58:37.084Z"}}], "cna": {"tags": ["x_freeware"], "title": "PHPGurukul Hospital Management System Admin Dashboard adminviews.py improper authorization", "credits": [{"lang": "en", "type": "reporter", "value": "hackerfactory (VulDB User)"}], "metrics": [{"cvssV4_0": {"version": "4.0", "baseScore": 5.3, "baseSeverity": "MEDIUM", "vectorString": "CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:L/VI:L/VA:L/SC:N/SI:N/SA:N/E:P"}}, {"cvssV3_1": {"version": "3.1", "baseScore": 6.3, "baseSeverity": "MEDIUM", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:L/E:P/RL:X/RC:R"}}, {"cvssV3_0": {"version": "3.0", "baseScore": 6.3, "baseSeverity": "MEDIUM", "vectorString": "CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:L/E:P/RL:X/RC:R"}}, {"cvssV2_0": {"version": "2.0", "baseScore": 6.5, "vectorString": "AV:N/AC:L/Au:S/C:P/I:P/A:P/E:POC/RL:ND/RC:UR"}}], "affected": [{"cpes": ["cpe:2.3:a:phpgurukul:hospital_management_system:*:*:*:*:*:*:*:*"], "vendor": "PHPGurukul", "modules": ["Admin Dashboard Page"], "product": "Hospital Management System", "versions": [{"status": "affected", "version": "1.0"}]}], "timeline": [{"lang": "en", "time": "2026-01-28T00:00:00.000Z", "value": "Advisory disclosed"}, {"lang": "en", "time": "2026-01-28T01:00:00.000Z", "value": "VulDB entry created"}, {"lang": "en", "time": "2026-02-09T17:03:04.000Z", "value": "VulDB entry last update"}], "references": [{"url": "https://vuldb.com/?id.343246", "name": "VDB-343246 | PHPGurukul Hospital Management System Admin Dashboard adminviews.py improper authorization", "tags": ["vdb-entry", "technical-description"]}, {"url": "https://vuldb.com/?ctiid.343246", "name": "VDB-343246 | CTI Indicators (IOB, IOC, TTP, IOA)", "tags": ["signature", "permissions-required"]}, {"url": "https://vuldb.com/?submit.739837", "name": "Submit #739837 | PHPGurukul Hospital Management System v1.0 Missing Authorization", "tags": ["third-party-advisory"]}, {"url": "https://github.com/rsecroot/Hospital-Management-System/blob/main/Broken%20Access%20Control.md", "tags": ["exploit"]}, {"url": "https://phpgurukul.com/", "tags": ["product"]}], "descriptions": [{"lang": "en", "value": "A security flaw has been discovered in PHPGurukul Hospital Management System 1.0. Affected by this issue is some unknown functionality of the file /hms/hospital/docappsystem/adminviews.py of the component Admin Dashboard Page. Performing a manipulation results in improper authorization. Remote exploitation of the attack is possible. The exploit has been released to the public and may be used for attacks."}], "problemTypes": [{"descriptions": [{"lang": "en", "type": "CWE", "cweId": "CWE-285", "description": "Improper Authorization"}]}, {"descriptions": [{"lang": "en", "type": "CWE", "cweId": "CWE-266", "description": "Incorrect Privilege Assignment"}]}], "providerMetadata": {"orgId": "1af790b2-7ee1-4545-860a-a788eba489b5", "shortName": "VulDB", "dateUpdated": "2026-02-23T09:03:01.284Z"}}}, "cveMetadata": {"cveId": "CVE-2026-1550", "state": "PUBLISHED", "dateUpdated": "2026-02-23T09:03:01.284Z", "dateReserved": "2026-01-28T16:55:20.754Z", "assignerOrgId": "1af790b2-7ee1-4545-860a-a788eba489b5", "datePublished": "2026-01-28T23:02:10.342Z", "assignerShortName": "VulDB"}, "dataVersion": "5.2"}

{"configurations": [{"nodes": [{"cpeMatch": [{"criteria": "cpe:2.3:a:phpgurukul:hospital_management_system:1.0:*:*:*:*:*:*:*", "matchCriteriaId": "0D7CB92F-609E-4807-A613-7AA413460314", "vulnerable": true}], "negate": false, "operator": "OR"}]}], "cveTags": [], "descriptions": [{"lang": "en", "value": "A security flaw has been discovered in PHPGurukul Hospital Management System 1.0. Affected by this issue is some unknown functionality of the file /hms/hospital/docappsystem/adminviews.py of the component Admin Dashboard Page. Performing a manipulation results in improper authorization. Remote exploitation of the attack is possible. The exploit has been released to the public and may be used for attacks."}, {"lang": "es", "value": "Se ha descubierto una falla de seguridad en PHPGurukul Hospital Management System 1.0. Este problema afecta a alguna funcionalidad desconocida del archivo /hms/hospital/docappsystem/adminviews.py del componente P\u00e1gina del Panel de Administraci\u00f3n. Realizar una manipulaci\u00f3n resulta en una autorizaci\u00f3n indebida. Es posible la explotaci\u00f3n remota del ataque. El exploit ha sido publicado y puede ser utilizado para ataques."}], "id": "CVE-2026-1550", "lastModified": "2026-04-29T01:00:01.613", "metrics": {"cvssMetricV2": [{"acInsufInfo": false, "baseSeverity": "MEDIUM", "cvssData": {"accessComplexity": "LOW", "accessVector": "NETWORK", "authentication": "SINGLE", "availabilityImpact": "PARTIAL", "baseScore": 6.5, "confidentialityImpact": "PARTIAL", "integrityImpact": "PARTIAL", "vectorString": "AV:N/AC:L/Au:S/C:P/I:P/A:P", "version": "2.0"}, "exploitabilityScore": 8.0, "impactScore": 6.4, "obtainAllPrivilege": false, "obtainOtherPrivilege": false, "obtainUserPrivilege": false, "source": "cna@vuldb.com", "type": "Secondary", "userInteractionRequired": false}], "cvssMetricV31": [{"cvssData": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "LOW", "baseScore": 6.3, "baseSeverity": "MEDIUM", "confidentialityImpact": "LOW", "integrityImpact": "LOW", "privilegesRequired": "LOW", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:L", "version": "3.1"}, "exploitabilityScore": 2.8, "impactScore": 3.4, "source": "cna@vuldb.com", "type": "Secondary"}, {"cvssData": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "baseScore": 8.8, "baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "LOW", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H", "version": "3.1"}, "exploitabilityScore": 2.8, "impactScore": 5.9, "source": "nvd@nist.gov", "type": "Primary"}], "cvssMetricV40": [{"cvssData": {"Automatable": "NOT_DEFINED", "Recovery": "NOT_DEFINED", "Safety": "NOT_DEFINED", "attackComplexity": "LOW", "attackRequirements": "NONE", "attackVector": "NETWORK", "availabilityRequirement": "NOT_DEFINED", "baseScore": 2.1, "baseSeverity": "LOW", "confidentialityRequirement": "NOT_DEFINED", "exploitMaturity": "PROOF_OF_CONCEPT", "integrityRequirement": "NOT_DEFINED", "modifiedAttackComplexity": "NOT_DEFINED", "modifiedAttackRequirements": "NOT_DEFINED", "modifiedAttackVector": "NOT_DEFINED", "modifiedPrivilegesRequired": "NOT_DEFINED", "modifiedSubAvailabilityImpact": "NOT_DEFINED", "modifiedSubConfidentialityImpact": "NOT_DEFINED", "modifiedSubIntegrityImpact": "NOT_DEFINED", "modifiedUserInteraction": "NOT_DEFINED", "modifiedVulnAvailabilityImpact": "NOT_DEFINED", "modifiedVulnConfidentialityImpact": "NOT_DEFINED", "modifiedVulnIntegrityImpact": "NOT_DEFINED", "privilegesRequired": "LOW", "providerUrgency": "NOT_DEFINED", "subAvailabilityImpact": "NONE", "subConfidentialityImpact": "NONE", "subIntegrityImpact": "NONE", "userInteraction": "NONE", "valueDensity": "NOT_DEFINED", "vectorString": "CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:L/VI:L/VA:L/SC:N/SI:N/SA:N/E:P/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X", "version": "4.0", "vulnAvailabilityImpact": "LOW", "vulnConfidentialityImpact": "LOW", "vulnIntegrityImpact": "LOW", "vulnerabilityResponseEffort": "NOT_DEFINED"}, "source": "cna@vuldb.com", "type": "Secondary"}]}, "published": "2026-01-28T23:15:51.067", "references": [{"source": "cna@vuldb.com", "tags": ["Exploit", "Mitigation", "Third Party Advisory"], "url": "https://github.com/rsecroot/Hospital-Management-System/blob/main/Broken%20Access%20Control.md"}, {"source": "cna@vuldb.com", "tags": ["Product"], "url": "https://phpgurukul.com/"}, {"source": "cna@vuldb.com", "tags": ["Permissions Required", "VDB Entry"], "url": "https://vuldb.com/?ctiid.343246"}, {"source": "cna@vuldb.com", "tags": ["Third Party Advisory", "VDB Entry"], "url": "https://vuldb.com/?id.343246"}, {"source": "cna@vuldb.com", "tags": ["Third Party Advisory", "VDB Entry"], "url": "https://vuldb.com/?submit.739837"}], "sourceIdentifier": "cna@vuldb.com", "vulnStatus": "Analyzed", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-266"}, {"lang": "en", "value": "CWE-285"}], "source": "cna@vuldb.com", "type": "Secondary"}]}

{}

{"analysis": {"en": {"generated_at": "2026-04-18T01:33:02.710822+00:00", "value": {"mitigation_remediation": ["Verify that the PHPGurukul Hospital Management System version is 1.0 or earlier and contact the vendor for an update or patch. ", "Restrict the admin dashboard endpoints to authorized users only, enforcing strong authentication and role\u2011based access controls to mitigate until a vendor patch is available. ", "Configure a Web Application Firewall or security rule to block suspicious requests targeting the /adminviews.py endpoint, or limit access by IP address."], "summary": {"action": "Patch Immediately", "impact": "Privilege Escalation"}, "threat_synthesis": {"affected_systems": "The affected product is PHPGurukul Hospital Management System version 1.0, released by vendor PHPGurukul. The flaw appears in the component managing admin pages, specifically the /hms/hospital/docappsystem/adminviews.py endpoint. No additional vendor or OS details are provided, and the scope appears limited to the admin dashboard functionality.", "description_and_impact": "A flaw discovered in the admin views file of PHPGurukul Hospital Management System 1.0 allows attackers to bypass authorization checks, leading to unauthorized access to administrative functions. The vulnerability resides in adminviews.py and can be exploited remotely through crafted HTTP requests. It falls under CWE\u2011266 (Improper Privilege Management) and CWE\u2011285 (Improper Authorization).", "risk_and_exploitability": "The CVSS v3.1 score of 5.3 indicates a moderate severity, and the EPSS score of less than 1% suggests a low likelihood of exploitation so far. However, the vulnerability is remotely exploitable and an exploit has already been released to the public, meaning attackers can potentially use it to gain privileged access. The vulnerability is not yet listed in the CISA KEV catalog. The likely attack vector is through unauthorized HTTP requests to the admin views endpoint, so an attacker who can reach the web application could use the flaw to elevate privileges or manipulate sensitive data."}}}}, "created": "2026-01-29T09:09:08.840143+00:00", "updated": "2026-04-18T01:45:33.390731+00:00", "vendors": ["phpgurukul", "phpgurukul$PRODUCT$hospital_management_system"]}