Unrestricted File Upload Vulnerability in rickxy Hospital Management System
CVE-2026-6602

6.9MEDIUM

Key Information:

Vendor: Rickxy
Status: Hospital Management System
Vendor: CVE Published:; 20 April 2026

Badges

👾 Exploit Exists🟡 Public PoC

What is CVE-2026-6602?

A vulnerability exists in the rickxy Hospital Management System due to improper validation of user inputs in the admin account management functionality. Specifically, the issue is associated with the argument 'ad_dpic,' which allows for unrestricted file uploads. This flaw can be exploited remotely, potentially leading to unauthorized access and execution of arbitrary code on the server. Importantly, the rolling release model of the product complicates the identification of affected versions, underlining the necessity for prompt updates and thorough security reviews.

Affected Version(s)

Hospital Management System 88a4290d957dc5bdde8a56e5ad451ad14f7f90f4

Exploit Proof of Concept (PoC)

PoC code is written by security researchers to demonstrate the vulnerability can be exploited. PoC code is also a key component for weaponization which could lead to ransomware.

CVE-2026-6602 - Proof of Concept

References

https://vuldb.com/vuln/358237

vdb-entrytechnical-description

https://vuldb.com/vuln/358237/cti

signaturepermissions-required

https://vuldb.com/submit/792092

third-party-advisory

CVSS V4

Score:

6.9

Severity:

MEDIUM

Confidentiality:

Low

Integrity:

Low

Availability:

Low

Attack Vector:

Network

Attack Complexity:

Low

Attack Required:

None

Privileges Required:

Undefined

User Interaction:

None

Download the Critical Vulnerability Management Cheat Sheet

Timeline

🟡
Public PoC available
Apr 20, 2026
👾
Exploit known to exist
Apr 20, 2026
Vulnerability published
Apr 20, 2026
Vulnerability Reserved
Apr 19, 2026

Credit

wacool (VulDB User)

CVE-2026-6602 Data

JSON

Rickxy