CVE-2018-15139

HIGH LAB

OpenEMR < 5.0.1.4 - Authenticated Arbitrary PHP File Upload via Site Files Manager

Title source: llm
STIX 2.1

Exploitation Summary

EIP tracks 3 public exploits for CVE-2018-15139. PoCs published by Alexandre ZANNI, Ron Jost, sec-it.

AI-analyzed exploit summary This exploit leverages an authenticated file upload vulnerability in OpenEMR to achieve remote code execution by uploading a malicious PHP file. The script logs in as an admin, then uploads a file with a PHP content type to a vulnerable endpoint.

Description

Unrestricted file upload in interface/super/manage_site_files.php in versions of OpenEMR before 5.0.1.4 allows a remote authenticated attacker to execute arbitrary PHP code by uploading a file with a PHP extension via the images upload form and accessing it in the images directory.

Exploits (3)

exploitdb WORKING POC
by Alexandre ZANNI · rubywebappsphp
https://www.exploit-db.com/exploits/50122

This exploit leverages an authenticated file upload vulnerability in OpenEMR to achieve remote code execution by uploading a malicious PHP file. The script logs in as an admin, then uploads a file with a PHP content type to a vulnerable endpoint.

Classification
Working Poc 95%
Attack Type
Rce
Complexity
Moderate
Reliability
Reliable
Target: OpenEMR < 5.0.1.4
Auth required
Prerequisites: Valid admin credentials · Network access to the target
devstral-2 · analyzed Feb 16, 2026 Full analysis →
exploitdb WORKING POC
by Ron Jost · pythonwebappsphp
https://www.exploit-db.com/exploits/49998

This exploit demonstrates an authenticated remote code execution vulnerability in OpenEMR versions prior to 5.0.1.4. It uploads a PHP webshell via the 'manage_site_files' interface, allowing arbitrary command execution.

Classification
Working Poc 95%
Attack Type
Rce
Complexity
Moderate
Reliability
Reliable
Target: OpenEMR < 5.0.1.4
Auth required
Prerequisites: Valid credentials for OpenEMR · Network access to the target · File upload functionality enabled
devstral-2 · analyzed Feb 16, 2026 Full analysis →
nomisec WORKING POC 2 stars
by sec-it · poc
https://github.com/sec-it/exploit-CVE-2018-15139

This exploit targets CVE-2018-15139, an authenticated file upload vulnerability in OpenEMR < 5.0.1.4, allowing remote command execution via a malicious PHP file upload. The PoC uses Ruby with HTTPX to authenticate and upload a shell.

Classification
Working Poc 95%
Attack Type
Rce
Complexity
Moderate
Reliability
Reliable
Target: OpenEMR < 5.0.1.4
Auth required
Prerequisites: Valid admin credentials · Network access to the target · PHP file upload capability
devstral-2 · analyzed Feb 16, 2026 Full analysis →

References (5)

Core 5

Scores

CVSS v3 8.8
EPSS 0.7802
EPSS Percentile 99.0%
Attack Vector NETWORK
CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H

Lab Environment

COMMUNITY
Community Lab
docker pull openemr/openemr:5.0.0

Details

CWE
CWE-434
Status published
Products (1)
open-emr/openemr < 5.0.1.4
Published Aug 13, 2018
Tracked Since Feb 18, 2026