CVE-2026-32238

CRITICAL

OpenEMR has Remote Code Execution in backup functionality

Title source: cna

Description

OpenEMR is a free and open source electronic health records and medical practice management application. Versions prior to 8.0.0.2 contain a Command injection vulnerability in the backup functionality that can be exploited by authenticated attackers. The vulnerability exists due to insufficient input validation in the backup functionality. Version 8.0.0.2 fixes the issue.

Exploits (1)

nomisec WRITEUP

by ChrisSub08 · poc

https://github.com/ChrisSub08/CVE-2026-32238_RemoteCodeExecutionOpenEMR8.0.0

View Code ZIP pw:eip

References (2)

[X_Refsource_Confirm] https://github.com/openemr/openemr/security/advisories/GHSA-6pmc-3xm7-pm86

[X_Refsource_Misc] https://github.com/openemr/openemr/commit/7bc7bd077a624e205daed17658de41af6070ef73

View Writeup ZIP pw:eip

Scores

CVSS v3 9.1

EPSS 0.0008

EPSS Percentile 24.5%

Attack Vector NETWORK

CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:C/C:H/I:H/A:H

Details

CWE

CWE-78

Status published

Products (2)

open-emr/openemr < 8.0.0.2

openemr/openemr < 8.0.0.2

Published Mar 19, 2026

Tracked Since Mar 20, 2026