Vulnerabilities ›

CVE-2026-6602

High

CWE-284 — Weakness Type

                    Published: Apr 20, 2026                      ·  Modified: Apr 27, 2026                      ·  Source: NVD                

CVSS v3

7.3

🔗 NVD Official

📄 Description (English)

A vulnerability was found in rickxy Hospital Management System up to 88a4290d957dc5bdde8a56e5ad451ad14f7f90f4. Affected is an unknown function of the file /backend/admin/his_admin_account.php. The manipulation of the argument ad_dpic results in unrestricted upload. The attack can be executed remotely. The exploit has been made public and could be used. This product implements a rolling release for ongoing delivery, which means version information for affected or updated releases is unavailable.

🤖 AI Executive Summary

A critical file upload vulnerability exists in rickxy Hospital Management System allowing remote attackers to upload arbitrary files through the ad_dpic parameter in the admin account management interface. This unrestricted upload vulnerability could lead to remote code execution and complete system compromise.

📄 Description (Arabic)

تم اكتشاف ثغرة في نظام إدارة المستشفيات rickxy تسمح بتحميل ملفات غير مقيدة من خلال معامل ad_dpic في ملف /backend/admin/his_admin_account.php. يمكن للمهاجمين البعيدين استغلال هذه الثغرة لتحميل ملفات خطيرة وتنفيذ أكواد ضارة على الخادم.

🤖 ملخص تنفيذي (AI)

🤖 AI Intelligence Analysis Analyzed: May 6, 2026 08:55

🇸🇦 Saudi Arabia Impact Assessment

Saudi Relevance: high

🏢 Affected Saudi Sectors

healthcare government

🎯 MITRE ATT&CK Techniques

T1190 T1434 T1505

⚖️ Saudi Risk Score (AI)

8.0

/ 10.0

🔧 Remediation Steps (English)

Immediately update rickxy Hospital Management System to the latest patched version beyond commit 88a4290d957dc5bdde8a56e5ad451ad14f7f90f4. Implement strict file upload validation including file type whitelisting, size restrictions, and store uploads outside web root. Apply principle of least privilege to admin accounts and disable file execution in upload directories.

🔧 خطوات المعالجة (العربية)

قم بتحديث نظام إدارة المستشفيات rickxy فوراً إلى أحدث إصدار مصحح بعد الالتزام المذكور. طبق التحقق الصارم من تحميل الملفات بما في ذلك قائمة بيضاء لأنواع الملفات وتقييد الحجم وتخزين التحميلات خارج جذر الويب. طبق مبدأ الامتيازات الأقل على حسابات المسؤول وعطل تنفيذ الملفات في مجلدات التحميل.

📋 Regulatory Compliance Mapping

🟢 NCA ECC 2024

A.8.1.1 A.12.2.1 A.14.2.1

🔵 SAMA CSF

ID.AM-2 PR.AC-1 PR.PT-1

🟡 ISO 27001:2022

A.6.1.1 A.12.2.1 A.14.2.1

🔗 References & Sources 4

🔗

https://github.com/freeloader9527/cve/issues/2

cna@vuldb.com

🔗

https://vuldb.com/submit/792092

cna@vuldb.com

🔗

https://vuldb.com/vuln/358237

cna@vuldb.com

🔗

https://vuldb.com/vuln/358237/cti

cna@vuldb.com

📊 CVSS Score

7.3

/ 10.0 — High

📊 CVSS Vector

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:L

Attack VectorN — None / Network

Attack ComplexityL — Low / Local

Privileges RequiredN — None / Network

User InteractionN — None / Network

ScopeU — Unchanged

ConfidentialityL — Low / Local

IntegrityL — Low / Local

AvailabilityL — Low / Local

📋 Quick Facts

Severity High

CVSS Score7.3

CWECWE-284

EPSS0.01%

Exploit No

Patch ✗ No

Published 2026-04-20

Source Feed nvd

🇸🇦 Saudi Risk Score

8.0

/ 10.0 — Saudi Risk

Priority: HIGH

🏷️ Tags

CWE-284

⚡ Actions

🔗 NVD Official Page ⚡ Exploit-DB Search 🐙 GitHub PoC Search 🎯 MITRE ATT&CK 📊 CVE Details

💬 Comments

Loading comments

CVE-2026-6602

💬 Comments

Introduce Yourself

Sign In Required