Vulnerability Report

CVE-2026-32238

RCE

Title: OpenEMR command injection in backup functionality

RCE

Proof Of Concept

PoC Available for CVE-2026-32238

CWE Category CWE-78
Published Date Mar 19, 2026
Modified Date Mar 20, 2026
Exploit Status Available
Score 9.1 CVSS v3.1
Exploit Probability (EPSS)
1.89%

Vulnerability Summary

CVE-2026-32238: OpenEMR is a free and open source electronic health records and medical practice management application. Versions prior to 8.0.0.2 contain a Command injection vulnerability in the backup functionality that can be exploited by authenticated attackers. The vulnerability exists due to insufficient input validation in the backup functionality. Version 8.0.0.2 fixes the issue.

Impacted Vendors

O
openemr 1
O
open-emr 1

Reference Links

https://github.com/openemr/openemr/commit/7bc7bd077a624e205daed17658de41af6070ef73 https://github.com/openemr/openemr/security/advisories/GHSA-6pmc-3xm7-pm86
CVSS v3.1
Source Entity [email protected]
Severity CRITICAL
9.1
Attack Vector
NETWORK
Complexity
LOW
Privileges
N/A
Interaction
NONE
Confidentiality
N/A
Integrity
N/A
Availability
N/A
Scope
CHANGED
RAW VECTOR CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:C/C:H/I:H/A:H

Associated Attack Patterns (CAPEC)

Total: Patterns

CVE-2026-32238 Exploits & PoCs (Proof Of Concept)

GitHub https://github.com/ChrisSub08/CVE-2026-32238_RemoteCodeExecutionOpenEMR8.0.0
View Code
MODIFIED

Vulnerability data updated via NVD.

MODIFIED

Vulnerability data updated via NVD.

MODIFIED

Vulnerability data updated via NVD.

MODIFIED

Vulnerability data updated via NVD.

MODIFIED

Vulnerability data updated via NVD.

Attack Vector Matrix

Access Vector NETWORK
Complexity LOW
Privileges N/A
Interaction NONE
CVSS Vector String CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:C/C:H/I:H/A:H

Affected Stack

No specific products linked.