Description
Hospital Quening Management developed by Advantech has a Sensitive Data Exposure vulnerability, allowing unauthenticated remote attackers to access a specific URL to obtain API documentation.
Published: 2026-06-30
Score: 8.7 High
EPSS: n/a
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

The vulnerability resides in the Hospital Queuing Management system from Advantech, permitting unauthenticated remote attackers to query a specific URL and retrieve the API documentation. This exposure leaks potentially sensitive operational details and could be leveraged to glean service endpoints, authentication mechanisms, or configuration parameters. The weakness is classified as CWE-200, indicating a Sensitive Data Exposure flaw.

Affected Systems

Affected systems include the Advantech Hospital Queuing Management application. The CVE specifically applies to installations running versions prior to HQM ISO 1.2.13 or QueueHttp.dll 1.2.12.7. All users of the current unpatched product are at risk, as the exposed endpoint is part of the standard installation without additional security controls.

Risk and Exploitability

The vulnerability has a CVSS score of 8.7, categorising it as high severity. Because the exploit requires no authentication and only a simple HTTP request, the likelihood of exploitation is relatively high, even though an EPSS score is not provided. The attack vector is likely to be a direct web request to the vulnerable URL. The vulnerability is not listed in the CISA KEV catalog, but timely remediation is recommended given the high CVSS score and straightforward exploit path.

Generated by OpenCVE AI on June 30, 2026 at 12:23 UTC.

Remediation

Vendor Solution

Update HQM ISO to version 1.2.13 or later, or update QueueHttp.dll to version 1.2.12.7 or later.

OpenCVE Recommended Actions

  • Upgrade the affected component by installing HQM ISO 1.2.13 or QueueHttp.dll 1.2.12.7 or later.
  • Until the upgrade can be performed, restrict network traffic to the vulnerable endpoint, for example by firewall rules or by placing the service behind authentication and rate limiting.
  • Disable or remove publicly accessible API documentation endpoints that expose sensitive information until the product is patched.

Generated by OpenCVE AI on June 30, 2026 at 12:23 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Tue, 30 Jun 2026 11:45:00 +0000

Type Values Removed Values Added
Description Hospital Quening Management developed by Advantech has a Sensitive Data Exposure vulnerability, allowing unauthenticated remote attackers to access a specific URL to obtain API documentation.
Title Advantech|Hospital Queuing Management - Sensitive Data Exposure
Weaknesses CWE-200
References
Metrics cvssV3_1

{'score': 7.5, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N'}

cvssV4_0

{'score': 8.7, 'vector': 'CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:N/VA:N/SC:N/SI:N/SA:N'}

Subscriptions

No data.

cve-icon MITRE

Status: PUBLISHED

Assigner: twcert

Published:

Updated: 2026-06-30T12:26:28.971Z

Reserved: 2026-06-30T02:02:22.471Z

Link: CVE-2026-14161

cve-icon Vulnrichment

No data.

cve-icon NVD

No data.

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-06-30T12:30:13Z

Weaknesses
  • CWE-200

    Exposure of Sensitive Information to an Unauthorized Actor