CVE-2026-32238CRITICAL 9.1EPSS p76.9%

CVE-2026-32238CVE-2026-32238

Description

OpenEMR is a free and open source electronic health records and medical practice management application. Versions prior to 8.0.0.2 contain a Command injection vulnerability in the backup functionality that can be exploited by authenticated attackers. The vulnerability exists due to insufficient input validation in the backup functionality. Version 8.0.0.2 fixes the issue.

Scoring

CVSS 3.19.1 (CRITICAL)
VectorCVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:C/C:H/I:H/A:H
EPSS1.89% probability of exploitation · percentile 76.9% · 2026-06-19T12:03:05Z
Published2026-03-19
Last modified2026-03-20

Underlying weaknesses· 1

CWE-78

References

  1. https://github.com/openemr/openemr/commit/7bc7bd077a624e205daed17658de41af6070ef73
  2. https://github.com/openemr/openemr/security/advisories/GHSA-6pmc-3xm7-pm86
  3. https://github.com/openemr/openemr/security/advisories/GHSA-6pmc-3xm7-pm86

1

TypeTargetConfidenceTier
WeaknessImproper Neutralization of Special Elements used in an OS Command ('OS Command Injection')cwe-780%live

Related by meaning· 6

Nearest entities by semantic similarity across the cs-graph corpus.

CVE
CVE-2026-33910
CVE
CVE-2026-23627
CVE
CVE-2026-25746
CVE
CVE-2026-33917
CVE
CVE-2026-32127
CVE
CVE-2026-29187
Sourced from NVD + FIRST.org EPSS. Curated for EU compliance use cases by Adam Lundqvist, Founder at SQUR.