OpenMRS — Vulnerabilities & Security Advisories 12

Browse all 12 CVE security advisories affecting OpenMRS. AI-powered Chinese analysis, POCs, and references for each vulnerability.

OpenMRS serves as a free, open-source electronic medical record platform primarily deployed in resource-limited healthcare settings. Historically, the system has faced vulnerabilities including remote code execution, cross-site scripting, and privilege escalation, often stemming from insufficient input validation and access control flaws. While no major public security incidents have been widely documented, the platform's 12 recorded CVEs highlight ongoing security challenges in handling sensitive patient data across diverse implementations. Its modular architecture introduces potential attack surfaces, particularly in third-party module integration, requiring rigorous security assessments in healthcare environments where data integrity and patient privacy are critical concerns.

Top products by OpenMRS: Admin UI Module openmrs-core Appointment Scheduling Module openmrs-module-referenceapplication HTML Form Entry UI Framework Integration Module openmrs-module-fhir2

CVE ID	Title	CVSS	Severity	Published
CVE-2026-40076	OpenMRS Core arbitrary file write and code execution via Zip Slip in module upload — openmrs-coreCWE-22	7.5^AI	High^AI	2026-05-06
CVE-2026-40075	OpenMRS Core arbitrary file read via path traversal in ModuleResourcesServlet — openmrs-coreCWE-22	7.5	-	2026-05-05
CVE-2025-46823	OpenMRS has Vulnerability in FHIR2 Module Privileges — openmrs-module-fhir2CWE-862	7.1^AI	High^AI	2025-05-29
CVE-2020-36636	OpenMRS Admin UI Module Account Setup AccountPageController.java sendErrorMessage cross site scripting — Admin UI ModuleCWE-79	3.5	Low	2022-12-27
CVE-2021-4292	OpenMRS Admin UI Module Manage Privilege Page privilege.gsp cross site scripting — Admin UI ModuleCWE-79	3.5	Low	2022-12-27
CVE-2021-4291	OpenMRS Admin UI Module location.gsp cross site scripting — Admin UI ModuleCWE-79	3.5	Low	2022-12-27
CVE-2020-36635	OpenMRS Appointment Scheduling Module AppointmentTypeValidator.java validateFieldName cross site scripting — Appointment Scheduling ModuleCWE-79	3.5	Low	2022-12-27
CVE-2021-4289	OpenMRS openmrs-module-referenceapplication User App Page UserAppPageController.java post cross site scripting — openmrs-module-referenceapplicationCWE-79	3.5	Low	2022-12-27
CVE-2021-4288	OpenMRS openmrs-module-referenceapplication userApp.gsp cross site scripting — openmrs-module-referenceapplicationCWE-79	3.5	Low	2022-12-27
CVE-2021-4284	OpenMRS HTML Form Entry UI Framework Integration Module cross site scripting — HTML Form Entry UI Framework Integration ModuleCWE-79	3.5	Low	2022-12-27
CVE-2022-4727	OpenMRS Appointment Scheduling Module Notes AppointmentRequest.java getNotes cross site scripting — Appointment Scheduling ModuleCWE-707	3.5	Low	2022-12-24
CVE-2022-23612	Directory Traversal in OpenMRS Startup Filter — openmrs-coreCWE-22	7.5	High	2022-02-22

This page lists every published CVE security advisory associated with OpenMRS. Each entry links to a detailed page with CVSS scoring, CWE classification, affected products and references. AI-generated Chinese analysis is provided for fast triage.

Goal Reached Thanks to every supporter — we hit 100%!

OpenMRS — Vulnerabilities & Security Advisories 12