cbcvebase.

Openmrs Openmrs-Core vulnerabilities

4 known vulnerabilities affecting openmrs/openmrs-core.

Total CVEs
4
CISA KEV
0
Public exploits
0
Exploited in wild
0
Severity breakdown
CRITICAL1HIGH3

Vulnerabilities

Page 1 of 1
CVE-2026-40076P2HIGHCVSS 8.8≤ 2.7.8v>= 2.8.0, <= 2.8.52026-05-06
CVE-2026-40076 [HIGH] CWE-22 CVE-2026-40076: OpenMRS Core is an open source electronic medical record system platform. In versions 2.7.8 and earl OpenMRS Core is an open source electronic medical record system platform. In versions 2.7.8 and earlier and versions 2.8.0 through 2.8.5, the module upload endpoint at POST `/openmrs/ws/rest/v1/module` is vulnerable to a Zip Slip path traversal attack. During automatic extraction of uploaded .omod archives in `WebModuleUtil.startModule()`, ZIP entries
nvd
CVE-2026-40075P3HIGHCVSS 7.5≤ 2.7.8v>= 2.8.0, <= 2.8.52026-05-05
CVE-2026-40075 [HIGH] CWE-22 CVE-2026-40075: OpenMRS Core is an open source electronic medical record system platform. In versions 2.7.8 and earl OpenMRS Core is an open source electronic medical record system platform. In versions 2.7.8 and earlier and versions 2.8.0 through 2.8.5, the `/openmrs/moduleResources/{moduleid}` endpoint is vulnerable to a path traversal attack. The ModuleResourcesServlet constructs a filesystem path from user-controlled input without performing path boundary validat
nvd
CVE-2026-41258P3CRITICALCVSS 9.1v>= 2.7.0 < 2.7.9v>= 2.8.0 < 2.8.62026-05-15
CVE-2026-41258 [CRITICAL] CWE-94 CVE-2026-41258: OpenMRS is an open source electronic medical record system platform. From 2.7.0 to before 2.7.9 and OpenMRS is an open source electronic medical record system platform. From 2.7.0 to before 2.7.9 and 2.8.6, the ConceptReferenceRangeUtility.evaluateCriteria() method in OpenMRS Core evaluates database-stored criteria strings as Apache Velocity templates without any sandbox configuration. The VelocityEngine is initialized with only logging properties
nvd
CVE-2022-23612P3HIGHCVSS 7.5v>= 1.6, < 2.1.5v>= 2.2.0, < 2.2.1+3 more2022-02-22
CVE-2022-23612 [HIGH] CWE-22 CVE-2022-23612: OpenMRS is a patient-based medical record system focusing on giving providers a free customizable el OpenMRS is a patient-based medical record system focusing on giving providers a free customizable electronic medical record system. Affected versions are subject to arbitrary file exfiltration due to failure to sanitize request when satisfying GET requests for `/images` & `/initfilter/scripts`. This can allow an attacker to access any file on a system
nvd
Openmrs Openmrs-Core vulnerabilities | cvebase