CVE-2026-31070
CriticalSummary
The LalanaChami Pharmacy Management System (commit 5c3d028) allows unauthenticated remote attackers to escalate privileges by self-assigning an administrative role during registration. The /api/user/signup endpoint fails to validate the role parameter in the request body.
Risk Assessment
Attackers could gain access to administrative functions of the system, potentially leading to serious data breaches and disruptions in pharmacy operations.
Recommendation
It is recommended to implement validation of the role parameter in the registration endpoint to prevent unauthorized role assignments.
Original NVD description (English source)
The LalanaChami Pharmacy Management System (commit 5c3d028) allows unauthenticated remote attackers to escalate privileges by self-assigning an administrative role during registration. The /api/user/signup endpoint fails to validate the role parameter in the request body

