Monitor vulnerabilities like this one.
Sign up free to get alerted when software you use is affected.
8.7
OpenEMR Electronic Health Records App Allows Malicious File Uploads
CVE-2026-24848
Summary
A security flaw in OpenEMR's electronic health records and practice management application allows authenticated users to upload malicious files that can execute code on the server, potentially leading to unauthorized access and data compromise. This affects all versions up to and including 7.0.4. To protect your data, update to the latest version of OpenEMR as soon as possible.
What to do
No fix is available yet. Check with your software vendor for updates.
Affected software
| Vendor | Product | Affected versions | Fix available |
|---|---|---|---|
| open-emr | openemr | <= 7.0.4 | – |
Original title
OpenEMR is a free and open source electronic health records and medical practice management application. In 7.0.4 and earlier, the disposeDocument() method in EtherFaxActions.php allows authenticat...
Original description
OpenEMR is a free and open source electronic health records and medical practice management application. In 7.0.4 and earlier, the disposeDocument() method in EtherFaxActions.php allows authenticated users to write arbitrary content to arbitrary locations on the server filesystem. This vulnerability can be exploited to achieve Remote Code Execution (RCE) by uploading malicious PHP web shells.
nvd CVSS3.1
9.9
nvd CVSS4.0
8.7
Vulnerability type
CWE-22
Path Traversal
- https://github.com/openemr/openemr/security/advisories/GHSA-5vp5-4rm6-h4c9 Exploit Mitigation Vendor Advisory
Published: 3 Mar 2026 · Updated: 13 Mar 2026 · First seen: 6 Mar 2026