← back
CVE-2026-6602

rickxy Hospital Management System his_admin_account.php unrestricted upload

CVSS 6.9 MEDIUMEPSS 0.4%CWE-284CWE-434
A vulnerability was found in rickxy Hospital Management System up to 88a4290d957dc5bdde8a56e5ad451ad14f7f90f4. Affected is an unknown function of the file /backend/admin/his_admin_account.php. The manipulation of the argument ad_dpic results in unrestricted upload. The attack can be executed remotely. The exploit has been made public and could be used. This product implements a rolling release for ongoing delivery, which means version information for affected or updated releases is unavailable.
CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:L/VI:L/VA:L/SC:N/SI:N/SA:N/E:P
Affected products
rickxy · Hospital Management System
public PoCs found1
cve_referencegithub.com/freeloader9527/cve/issues/2unverified
⚠ Public resources, to assess the exposure of systems you control or are authorized to test. Test only with authorization.

Want to know if your infrastructure is exposed to this?

Talk to TrueHacking →
References
https://github.com/freeloader9527/cve/issues/2https://vuldb.com/submit/792092https://vuldb.com/vuln/358237https://vuldb.com/vuln/358237/cti