CVE-2019-14530

HIGH NUCLEI LAB

OpenEMR < 5.0.2 - Path Traversal and Arbitrary File Deletion via fileName Parameter

Title source: llm
STIX 2.1

Exploitation Summary

EIP tracks 3 public exploits for CVE-2019-14530. PoCs published by Ron Jost, sec-it, Wezery. A Nuclei detection template is also available.

AI-analyzed exploit summary This exploit leverages a path traversal vulnerability in OpenEMR's custom/ajax_download.php via the fileName parameter, allowing authenticated attackers to read arbitrary files on the server. The script authenticates with provided credentials and constructs a malicious URL to retrieve the specified file.

Description

An issue was discovered in custom/ajax_download.php in OpenEMR before 5.0.2 via the fileName parameter. An attacker can download any file (that is readable by the user www-data) from server storage. If the requested file is writable for the www-data user and the directory /var/www/openemr/sites/default/documents/cqm_qrda/ exists, it will be deleted from server.

Exploits (3)

exploitdb WORKING POC
by Ron Jost · pythonwebappsphp
https://www.exploit-db.com/exploits/50037

This exploit leverages a path traversal vulnerability in OpenEMR's custom/ajax_download.php via the fileName parameter, allowing authenticated attackers to read arbitrary files on the server. The script authenticates with provided credentials and constructs a malicious URL to retrieve the specified file.

Classification
Working Poc 95%
Attack Type
Info Leak
Complexity
Trivial
Reliability
Reliable
Target: OpenEMR versions prior to 5.0.2
Auth required
Prerequisites: Valid OpenEMR credentials · Network access to the target
devstral-2 · analyzed Feb 16, 2026 Full analysis →
nomisec WORKING POC 4 stars
by sec-it · poc
https://github.com/sec-it/exploit-CVE-2019-14530

This repository contains a functional Ruby exploit for CVE-2019-14530, an authenticated path traversal vulnerability in OpenEMR versions prior to 5.0.2. The exploit leverages a vulnerable endpoint to read arbitrary files on the server, demonstrated by reading /etc/passwd.

Classification
Working Poc 100%
Attack Type
Info Leak
Complexity
Trivial
Reliability
Reliable
Target: OpenEMR < 5.0.2
Auth required
Prerequisites: Valid admin credentials · Network access to the OpenEMR instance
devstral-2 · analyzed Feb 18, 2026 Full analysis →
nomisec WRITEUP
by Wezery · poc
https://github.com/Wezery/CVE-2019-14530

This repository provides a detailed technical analysis of CVE-2019-14530, a path traversal and DoS vulnerability in OpenEMR. It explains the vulnerable function, conditions for exploitation, and the impact of the vulnerability, including information disclosure and denial of service.

Classification
Writeup 95%
Attack Type
Info Leak | Dos
Complexity
Moderate
Reliability
Reliable
Target: OpenEMR <5.0.2
Auth required
Prerequisites: Authorized user access · Existence of specific directory for DoS case
devstral-2 · analyzed Feb 18, 2026 Full analysis →

Nuclei Templates (1)

OpenEMR <5.0.2 - Local File Inclusion
HIGHVERIFIEDby TenBird
Shodan: http.html:"openemr" || http.title:"openemr" || http.favicon.hash:1971268439
FOFA: icon_hash=1971268439 || body="openemr" || title="openemr" || app="openemr"

References (5)

Core 5
Core References
Patch, Third Party Advisory x_refsource_misc
https://github.com/openemr/openemr/pull/2592
Exploit, Third Party Advisory x_refsource_misc
https://github.com/Wezery/CVE-2019-14530
Exploit, Third Party Advisory, VDB Entry x_refsource_misc
http://packetstormsecurity.com/files/163215/OpenEMR-5.0.1.7-Path-Traversal.html
Exploit, Third Party Advisory, VDB Entry x_refsource_misc
http://packetstormsecurity.com/files/163375/OpenEMR-5.0.1.7-Path-Traversal.html

Scores

CVSS v3 8.8
EPSS 0.6689
EPSS Percentile 99.2%
Attack Vector NETWORK
CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H

Lab Environment

COMMUNITY
Community Lab
docker pull openemr/openemr:5.0.1

Details

CWE
CWE-22
Status published
Products (1)
open-emr/openemr < 5.0.2
Published Aug 13, 2019
Tracked Since Feb 18, 2026