EIP-2026-119679

PRE-CVE

OpenMRS 2.3 (1.11.4) - Expression Language Injection

Title source: legacy
STIX 2.1

Exploitation Summary

EIP tracks 1 public exploit for EIP-2026-119679. PoCs published by LiquidWorm.

AI-analyzed exploit summary This advisory details an Expression Language (EL) injection vulnerability in OpenMRS, where the 'personType' parameter in 'addPerson.htm' is not properly sanitized, allowing remote code execution by authenticated users. The document includes technical details, affected versions, and vendor fixes.

Description

OpenMRS 2.3 (1.11.4) - Expression Language Injection

Exploits (1)

exploitdb WRITEUP
by LiquidWorm · textwebappsxml
https://www.exploit-db.com/exploits/38897

This advisory details an Expression Language (EL) injection vulnerability in OpenMRS, where the 'personType' parameter in 'addPerson.htm' is not properly sanitized, allowing remote code execution by authenticated users. The document includes technical details, affected versions, and vendor fixes.

Classification
Writeup 90%
Attack Type
Rce
Complexity
Moderate
Reliability
Reliable
Target: OpenMRS (Platform 1.11.4, 1.11.2, 1.10.0, and other versions)
Auth required
Prerequisites: Authenticated access to OpenMRS · Vulnerable version of OpenMRS or related modules
devstral-2 · analyzed Feb 18, 2026 Full analysis →

Details

Status pre_cve
Tracked Since Feb 18, 2026