98/69 Wednesday, February 18, 2026
A serious security vulnerability has been discovered in the systems of DavaIndia Pharmacy, one of India’s major pharmacy chains operated by Zota Health Care Ltd. The flaw could have allowed malicious actors to access customer order information and escalate privileges to gain full administrative control of the platform. This posed significant risks to personal data protection and the integrity of the company’s pharmaceutical distribution controls.
The vulnerability was identified by security researcher Eaton Zveare. During an analysis of the company’s website, which was developed using Next.js, the researcher discovered an exposed admin subdomain that provided access to super-admin API endpoints without authentication. When testing the endpoint through a browser, the system returned a list of high-level administrator accounts without any authorization checks. The researcher was then able to create a new super-admin account via a POST request and obtain complete control over the platform.
With elevated privileges, an attacker could access and modify branch store data, pharmacist records, order details, customer personal information, product listings, inventory, and discount coupons. The flaw also allowed the creation of 100% discount coupons and the potential disabling of prescription enforcement requirements by modifying system settings-raising serious concerns about regulatory compliance and user privacy. The vulnerability was reported on August 20, 2025, and was remediated within one month. Confirmation of the fix was coordinated with CERT-In on November 28, 2025, before the issue was publicly disclosed on February 13, 2026.
