Hospital Management System arbitrary file upload (CVE-2026-6602)

Vendor-confirmed - CVE-2026-6602 is a high unauthenticated arbitrary file upload vulnerability in rickxy Hospital Management System before commit 88a4290d957 that grants remote attackers the ability to upload malicious scripts like web shells, enabling full server compromise. Apply the patched commit immediately to mitigate active exploitation risk.

Overview

A high-severity vulnerability (CVSS 7.3) has been identified in the rickxy Hospital Management System. The flaw allows an unauthenticated, remote attacker to upload arbitrary files to the web server, which can lead to a complete system compromise.

Vulnerability Details

The vulnerability exists in the /backend/admin/his_admin_account.php file. Specifically, the ad_dpic argument does not properly validate or restrict uploaded files. Because the attack requires no authentication (Privileges Required: NONE) and can be launched over the network (Attack Vector: NETWORK), any internet-facing instance is at immediate risk.

While the exact function is unknown, the “unrestricted upload” mechanism typically allows an attacker to upload a malicious script, such as a web shell. Once uploaded, this script can be executed to steal sensitive data, manipulate patient records, disrupt hospital operations, or use the server as a foothold for further attacks within the network.

Affected Products

This vulnerability affects the rickxy Hospital Management System up to commit 88a4290d957dc5bdde8a56e5ad451ad14f7f90f4. The product uses a rolling release model, meaning traditional version numbers are not used. All instances running code from before this commit are vulnerable.

Remediation and Mitigation

Primary Action: Patch Immediately. Administrators must apply any available updates from the vendor that address commit 88a4290d957dc5bdde8a56e5ad451ad14f7f90f4. Contact the software provider for specific patch guidance.

Immediate Mitigations:

1. Restrict Network Access: If possible, ensure the Hospital Management System is not directly accessible from the internet. Place it behind a VPN or firewall with strict access controls.
2. Web Application Firewall (WAF): Deploy a WAF configured to block malicious file upload attempts targeting the affected file path.
3. File Integrity Monitoring: Monitor the /backend/admin/ directory for unauthorized file creation, especially PHP or executable files.

Since a public exploit exists, treating this vulnerability as a high-priority item is crucial to prevent potential breaches. For more on the consequences of unpatched vulnerabilities, see our breach reports.

Security Insight

This vulnerability underscores the persistent threat of insecure direct object references and missing validation in healthcare software, a sector handling extremely sensitive data. Similar unrestricted upload flaws in other management systems have frequently been the initial entry point for ransomware attacks, which can have catastrophic operational and safety impacts in a hospital environment. The rolling release model, while enabling continuous delivery, can complicate vulnerability tracking and patch verification for administrators.

Further Reading

• All High Vulnerabilities
• Recent Critical Vulnerabilities
• Top Critical CVEs