A security vulnerability at DavaIndia Pharmacy exposed customer order data and granted full administrative control over its platform. The security researcher Eaton Zveare disclosed that an exposed admin subdomain allowed unauthenticated access to super-admin APIs, enabling the creation of a new super admin account and full control of the platform.
With such access, it was possible to view and edit stores, pharmacist details, customer orders, personal data, products, inventory, and coupons, and a 100% discount coupon could be generated to illustrate potential abuse. An exposed admin panel included a “Sponsor Settings” feature that could allow content to be swapped on the homepage.
The flaw was reported on 20 August 2025 and fixed within a month, with CERT-In assistance leading to a confirmed closure on 28 November 2025 and public disclosure on 13 February 2026. DavaIndia, operated by Zota Health Care Ltd., is a large Indian pharmacy retail chain with hundreds of franchised stores nationwide, promoting affordable generic medicines.