CVE-2026-32238

Published: Mar 19, 2026Modified: Mar 20, 2026

9.1

Vector

CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:C/C:H/I:H/A:H

Exploitability: 2.3 / Impact: 6.0

Source: security-advisories@github.com (Secondary)

Description

OpenEMR is a free and open source electronic health records and medical practice management application. Versions prior to 8.0.0.2 contain a Command injection vulnerability in the backup functionality that can be exploited by authenticated attackers. The vulnerability exists due to insufficient input validation in the backup functionality. Version 8.0.0.2 fixes the issue.

Affected (1)

Products: Open Emr: Openemr

1 product

Configuration A

1 vulnerable

Vulnerable Software	Affected Versions
Open Emr Openemr	Before 8.0.0.2

Related CWEs

Improper Neutralization of Special Elements used in an OS Command ('OS Command Injection')

The product constructs all or part of an OS command using externally-influenced input from an upstream component, but it does not neutralize or incorrectly neutralizes special elements that could modify the intended OS command when it is sent to a downstream component.

References (3)

https://github.com/openemr/openemr/commit/7bc7bd077a624e205daed17658de41af6070ef73

Source: security-advisories@github.com

Patch

https://github.com/openemr/openemr/security/advisories/GHSA-6pmc-3xm7-pm86

Source: security-advisories@github.com

ExploitMitigationVendor Advisory

https://github.com/openemr/openemr/security/advisories/GHSA-6pmc-3xm7-pm86

Source: 134c704f-9b21-4f2e-91b3-4a467353bcc0

ExploitMitigationVendor Advisory

Timeline

No history available yet.