Description
Offline Hospital Management System 5.3.0 allows remote code execution due to an improper Electron renderer configuration. The application enables Node.js integration while disabling context isolation, allowing JavaScript executed in the renderer process to access Node.js APIs and execute arbitrary operating system commands.
Published: 2026-05-18
Score: 7.3 High
EPSS: < 1% Very Low
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

Offline Hospital Management System version 5.3.0 contains a configuration flaw in its Electron renderer that enables Node.js integration while disabling context isolation. This combination allows JavaScript code executed in the renderer process to access Node.js APIs, which can be used to invoke arbitrary operating system commands. Based on the description, it is inferred that the attacker would need to supply malicious JavaScript within the renderer process to exploit this weakness. The vulnerability thus permits the execution of arbitrary code with the privileges of the application user.

Affected Systems

The flaw is limited to Offline Hospital Management System 5.3.0, an offline application used for hospital administration. No other versions or variants are reported as affected.

Risk and Exploitability

The CVSS score of 7.3 indicates a high severity, and the EPSS score of less than 1% suggests that exploits are currently unlikely to be widespread. The vulnerability is not listed in the CISA KEV catalog. Based on the description, it is inferred that exploitation would require that an attacker delivers or runs malicious JavaScript in the renderer process, which could arise through local user interaction or the application's ability to load external content. Without a vendor patch, the risk remains significant for systems that allow untrusted code to be executed within the renderer.

Generated by OpenCVE AI on May 20, 2026 at 15:26 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Disable Node.js integration in the Electron renderer if possible or enable context isolation to prevent renderer code from accessing Node.js APIs.
  • Apply any vendor-provided update that removes the improper configuration or otherwise fixes the renderer setup.
  • If no patch is available, restrict the application to load only trusted local resources and avoid exposing the renderer to untrusted input.

Generated by OpenCVE AI on May 20, 2026 at 15:26 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Wed, 20 May 2026 14:45:00 +0000

Type Values Removed Values Added
Title Remote Code Execution via Improper Electron Renderer Configuration in Offline Hospital Management System 5.3.0
Weaknesses CWE-284
CWE-695

Wed, 20 May 2026 12:30:00 +0000

Type Values Removed Values Added
Weaknesses CWE-917

Tue, 19 May 2026 18:15:00 +0000

Type Values Removed Values Added
Title Remote Code Execution via Improper Electron Renderer Configuration in Offline Hospital Management System 5.3.0
Weaknesses CWE-284
CWE-695

Tue, 19 May 2026 16:00:00 +0000

Type Values Removed Values Added
Title Remote Code Execution via Electron Misconfiguration in Offline Hospital Management System
Weaknesses CWE-78

Tue, 19 May 2026 13:30:00 +0000

Type Values Removed Values Added
Metrics cvssV3_1

{'score': 7.3, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:L'}

ssvc

{'options': {'Automatable': 'yes', 'Exploitation': 'none', 'Technical Impact': 'partial'}, 'version': '2.0.3'}

Tue, 19 May 2026 08:45:00 +0000

Type Values Removed Values Added
First Time appeared Sourceforge
Sourceforge offline Hospital Management System
Vendors & Products Sourceforge
Sourceforge offline Hospital Management System

Mon, 18 May 2026 15:45:00 +0000

Type Values Removed Values Added
Title Remote Code Execution via Electron Misconfiguration in Offline Hospital Management System
Weaknesses CWE-78

Mon, 18 May 2026 14:30:00 +0000

Type Values Removed Values Added
Description Offline Hospital Management System 5.3.0 allows remote code execution due to an improper Electron renderer configuration. The application enables Node.js integration while disabling context isolation, allowing JavaScript executed in the renderer process to access Node.js APIs and execute arbitrary operating system commands.
References

Subscriptions

Sourceforge Offline Hospital Management System
cve-icon MITRE

Status: PUBLISHED

Assigner: mitre

Published:

Updated: 2026-05-20T12:08:04.570Z

Reserved: 2026-02-16T00:00:00.000Z

Link: CVE-2026-26462

cve-icon Vulnrichment

Updated: 2026-05-19T12:49:55.279Z

cve-icon NVD

Status : Deferred

Published: 2026-05-18T15:16:25.230

Modified: 2026-05-20T13:16:16.570

Link: CVE-2026-26462

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-05-20T15:30:33Z

Weaknesses
  • CWE-917

    Improper Neutralization of Special Elements used in an Expression Language Statement ('Expression Language Injection')