VYPR
Vendor

Openmrs

Products
15
CVEs
33
Across products
43
Status
Private

Products

15

Recent CVEs

33
View all 33 CVEs →
  • CVE-2017-12796CriOct 23, 2017
    risk 0.64cvss 9.8epss 0.04

    The Reporting Compatibility Add On before 2.0.4 for OpenMRS, as distributed in OpenMRS Reference Application before 2.6.1, does not authenticate users when deserializing XML input into ReportSchema objects. The result is that remote unauthenticated users are able to execute…

  • CVE-2017-7990HigApr 21, 2017
    risk 0.57cvss 8.8epss 0.01

    The Reporting Module 1.12.0 for OpenMRS allows CSRF attacks with resultant XSS, in which administrative authentication is hijacked to insert JavaScript into a name field in webapp/reports/manageReports.jsp.

  • CVE-2026-41258CriMay 15, 2026
    risk 0.52cvss 9.1epss 0.00

    OpenMRS is an open source electronic medical record system platform. From 2.7.0 to before 2.7.9 and 2.8.6, the ConceptReferenceRangeUtility.evaluateCriteria() method in OpenMRS Core evaluates database-stored criteria strings as Apache Velocity templates without any sandbox…

  • CVE-2026-40076HigMay 6, 2026
    risk 0.50cvss 8.8epss 0.01

    OpenMRS Core is an open source electronic medical record system platform. In versions 2.7.8 and earlier and versions 2.8.0 through 2.8.5, the module upload endpoint at POST `/openmrs/ws/rest/v1/module` is vulnerable to a Zip Slip path traversal attack. During automatic…

  • CVE-2025-46823HigMay 29, 2025
    risk 0.45cvss epss 0.00

    openmrs-module-fhir2 provides the FHIR REST API and related services for OpenMRS, an open medical records system. In versions of the FHIR2 module prior to 2.5.0, privileges were not always correctly checked, which means that unauthorized users may have been able to add or edit…

  • CVE-2026-40075HigMay 5, 2026
    risk 0.42cvss 7.5epss 0.01

    OpenMRS Core is an open source electronic medical record system platform. In versions 2.7.8 and earlier and versions 2.8.0 through 2.8.5, the `/openmrs/moduleResources/{moduleid}` endpoint is vulnerable to a path traversal attack. The ModuleResourcesServlet constructs a…

  • CVE-2018-19276Mar 17, 2019
    risk 0.10cvss epss 0.99

    OpenMRS before 2.24.0 is affected by an Insecure Object Deserialization vulnerability that allows an unauthenticated user to execute arbitrary commands on the targeted system via crafted XML data in a request body.

  • CVE-2025-25927Mar 11, 2025
    risk 0.00cvss epss 0.00

    A Cross-Site Request Forgery (CSRF) in Openmrs 2.4.3 Build 0ff0ed allows attackers to execute arbitrary operations via a crafted GET request.

  • CVE-2025-25929Mar 11, 2025
    risk 0.00cvss epss 0.00

    A reflected cross-site scripting (XSS) vulnerability in the component /legacyui/quickReportServlet of Openmrs 2.4.3 Build 0ff0ed allows attackers to execute arbitrary JavaScript in the context of a user's browser via a crafted payload injected into the reportType parameter.

  • CVE-2025-25925Mar 11, 2025
    risk 0.00cvss epss 0.00

    A stored cross-scripting (XSS) vulnerability in Openmrs v2.4.3 Build 0ff0ed allows attackers to execute arbitrary web scripts or HTML via injecting a crafted payload into the personName.middleName parameter at /openmrs/admin/patients/shortPatientForm.form.

  • CVE-2025-25928Mar 11, 2025
    risk 0.00cvss epss 0.00

    A Cross-Site Request Forgery (CSRF) in the component /admin/users/user.form of Openmrs 2.4.3 Build 0ff0ed allows attackers to execute arbitrary operations via a crafted request. In this case, an attacker could elevate a low-privileged account to an administrative role by…

  • CVE-2020-36636Dec 27, 2022
    risk 0.00cvss epss 0.01

    A vulnerability classified as problematic has been found in OpenMRS Admin UI Module up to 1.4.x. Affected is the function sendErrorMessage of the file omod/src/main/java/org/openmrs/module/adminui/page/controller/systemadmin/accounts/AccountPageController.java of the component…

  • CVE-2021-4292Dec 27, 2022
    risk 0.00cvss epss 0.01

    A vulnerability was found in OpenMRS Admin UI Module up to 1.4.x. It has been rated as problematic. This issue affects some unknown processing of the file omod/src/main/webapp/pages/metadata/privileges/privilege.gsp of the component Manage Privilege Page. The manipulation leads…

  • CVE-2021-4291Dec 27, 2022
    risk 0.00cvss epss 0.01

    A vulnerability was found in OpenMRS Admin UI Module up to 1.5.x. It has been declared as problematic. This vulnerability affects unknown code of the file omod/src/main/webapp/pages/metadata/locations/location.gsp. The manipulation leads to cross site scripting. The attack can…

  • CVE-2020-36635Dec 27, 2022
    risk 0.00cvss epss 0.01

    A vulnerability was found in OpenMRS Appointment Scheduling Module up to 1.12.x. It has been classified as problematic. This affects the function validateFieldName of the file api/src/main/java/org/openmrs/module/appointmentscheduling/validator/AppointmentTypeValidator.java. The…

  • CVE-2021-4289Dec 27, 2022
    risk 0.00cvss epss 0.01

    A vulnerability classified as problematic was found in OpenMRS openmrs-module-referenceapplication up to 2.11.x. Affected by this vulnerability is the function post of the file omod/src/main/java/org/openmrs/module/referenceapplication/page/controller/UserAppPageController.java…

  • CVE-2021-4288Dec 27, 2022
    risk 0.00cvss epss 0.01

    A vulnerability was found in OpenMRS openmrs-module-referenceapplication up to 2.11.x. It has been rated as problematic. This issue affects some unknown processing of the file omod/src/main/webapp/pages/userApp.gsp. The manipulation leads to cross site scripting. The attack may…

  • CVE-2021-4284Dec 27, 2022
    risk 0.00cvss epss 0.01

    A vulnerability classified as problematic has been found in OpenMRS HTML Form Entry UI Framework Integration Module up to 1.x. This affects an unknown part. The manipulation leads to cross site scripting. It is possible to initiate the attack remotely. Upgrading to version 2.0.0…

  • CVE-2022-4727Dec 24, 2022
    risk 0.00cvss epss 0.01

    A vulnerability, which was classified as problematic, was found in OpenMRS Appointment Scheduling Module up to 1.16.x. This affects the function getNotes of the file api/src/main/java/org/openmrs/module/appointmentscheduling/AppointmentRequest.java of the component Notes…

  • CVE-2021-43094May 10, 2022
    risk 0.00cvss epss 0.01

    An SQL Injection vulnerability exists in OpenMRS Reference Application Standalone Edition <=2.11 and Platform Standalone Edition <=2.4.0 via GET requests on arbitrary parameters in patient.page.