Description
This vulnerability exists in e-Sushrut due to disclosure of sensitive information and hardcoded AES encryption keys in client-side JavaScript. An unauthenticated remote attacker could exploit this vulnerability by accessing the client-side code to extract sensitive information and cryptographic keys.

Successful exploitation of this vulnerability could lead to exposure of sensitive data and compromise of cryptographic protections on the targeted system.
Published: 2026-04-29
Score: 8.7 High
EPSS: n/a
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

A flaw in e‑Sushrut HMIS allows an unauthenticated remote attacker to retrieve sensitive data and hard‑coded AES encryption keys from the client‑side JavaScript. By simply requesting the public code, an attacker can read protected information and compromise the system’s cryptographic protections, mapping to CWE‑321.

Affected Systems

This vulnerability impacts earlier releases of CDAC‑Noida’s e‑Sushrut Hospital Management Information System that include the insecure client script; no specific version numbers are listed, so all past deployments with this code are potentially affected.

Risk and Exploitability

With a CVSS score of 8.7 the flaw is high severity and can be leveraged without authentication, allowing any user who loads the web interface to extract keys and confidential data. Although EPSS is unavailable and the issue is not in the CISA KEV catalog, the nature of the weakness suggests a realistic risk of data compromise.

Generated by OpenCVE AI on April 29, 2026 at 09:50 UTC.

Remediation

Vendor Solution

Contact C-DAC for upgrading e-Sushrut HMIS to latest version

OpenCVE Recommended Actions

  • Contact CDAC and upgrade to the latest supported version of e‑Sushrut HMIS that removes hard‑coded keys.
  • Audit and modify the client‑side code to eliminate any exposed sensitive data and replace hard‑coded AES keys with secure server‑side key retrieval mechanisms.
  • Enforce server‑side encryption and use environment variables or a key vault to manage cryptographic keys, ensuring keys are never transmitted to or stored in the browser.

Generated by OpenCVE AI on April 29, 2026 at 09:50 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Wed, 29 Apr 2026 09:15:00 +0000

Type Values Removed Values Added
Description This vulnerability exists in e-Sushrut due to disclosure of sensitive information and hardcoded AES encryption keys in client-side JavaScript. An unauthenticated remote attacker could exploit this vulnerability by accessing the client-side code to extract sensitive information and cryptographic keys. Successful exploitation of this vulnerability could lead to exposure of sensitive data and compromise of cryptographic protections on the targeted system.
Title Information Disclosure Vulnerability in e-Sushrut HMIS
First Time appeared Cdac-noida
Cdac-noida e-sushrut Hospital Management Information System Hmis
Weaknesses CWE-321
CPEs cpe:2.3:a:cdac-noida:e-sushrut_hospital_management_information_system_hmis_:previous_versions:*:*:*:*:*:*:*
Vendors & Products Cdac-noida
Cdac-noida e-sushrut Hospital Management Information System Hmis
References
Metrics cvssV4_0

{'score': 8.7, 'vector': 'CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:N/VA:N/SC:N/SI:N/SA:N'}

Subscriptions

Cdac-noida E-sushrut Hospital Management Information System Hmis
cve-icon MITRE

Status: PUBLISHED

Assigner: CERT-In

Published:

Updated: 2026-04-29T08:37:32.944Z

Reserved: 2026-04-28T08:14:36.620Z

Link: CVE-2026-42518

cve-icon Vulnrichment

No data.

cve-icon NVD

Status : Received

Published: 2026-04-29T09:16:25.047

Modified: 2026-04-29T09:16:25.047

Link: CVE-2026-42518

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-04-29T11:30:09Z

Weaknesses