Unrated severityNVD Advisory· Published Aug 1, 2025· Updated Apr 7, 2026

OpenEMR ≤ 4.1.1 SQL Injection Privilege Escalation and RCE

CVE-2013-10044

Description

An authenticated SQL injection vulnerability exists in OpenEMR ≤ 4.1.1 Patch 14 that allows a low-privileged attacker to extract administrator credentials and subsequently escalate privileges. Once elevated, the attacker can exploit an unrestricted file upload flaw to achieve remote code execution, resulting in full compromise of the application and its host system.

Affected products

Openemr/Openemrv5
Range: *

Patches

No patches discovered yet.

Vulnerability mechanics

AI mechanics synthesis has not run for this CVE yet.

References

raw.githubusercontent.com/rapid7/metasploit-framework/master/modules/exploits/unix/webapp/openemr_sqli_privesc_upload.rbmitreexploit
www.exploit-db.com/exploits/28329mitreexploit
www.exploit-db.com/exploits/28408mitreexploit
www.vulncheck.com/advisories/openemr-sqli-priv-esc-rcemitrethird-party-advisory
www.open-emr.orgmitreproduct

News mentions

No linked articles in our index yet.

cvss	0.000
epss	0.004
exploit	0.030
kev	0.000
patch	0.000
ransomware	0.000