Description
OpenEMR is a free and open source electronic health records and medical practice management application. In 7.0.4 and earlier, the disposeDocument() method in EtherFaxActions.php allows authenticated users to write arbitrary content to arbitrary locations on the server filesystem. This vulnerability can be exploited to achieve Remote Code Execution (RCE) by uploading malicious PHP web shells.
Published: 2026-03-03
Score: 8.7 High
EPSS: < 1% Very Low
KEV: No
Impact: Remote Code Execution
Action: Immediate Patch
AI Analysis

Impact

The vulnerability arises in the disposeDocument() method of EtherFaxActions.php in OpenEMR versions 7.0.4 and earlier. The method fails to properly validate file paths, allowing an authenticated user to write arbitrary content to any location on the server filesystem. This flaw is classified as CWE‑22 and can be leveraged to deploy malicious PHP shells, resulting in full remote code execution on the host machine.

Affected Systems

The affected product is OpenEMR OpenEMR. Versions 7.0.4 and earlier are impacted. Users running these releases should verify their installed version against this list.

Risk and Exploitability

This vulnerability has a CVSS score of 8.7, indicating a high severity. The EPSS score is less than 1%, implying a low exploitation probability at the time of analysis, and the issue is not listed in the CISA KEV catalog. The likely attack requires an authenticated session within the application, enabling an attacker to supply path strings that escape the intended directory boundary and upload executable PHP code. Once such a file is placed on disk, it can be accessed through the web interface to trigger arbitrary code on the server.

Generated by OpenCVE AI on April 16, 2026 at 13:54 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Update OpenEMR to a version that includes the patch for the disposeDocument() flaw.
  • Configure the web server to disallow execution of uploaded files in the directories used by EtherFaxActions, for example by disabling PHP in those folders or treating them as static content.
  • Restrict file upload privileges and enforce path validation so that only intended directories can be written to.

Generated by OpenCVE AI on April 16, 2026 at 13:54 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Wed, 04 Mar 2026 22:15:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'poc', 'Technical Impact': 'total'}, 'version': '2.0.3'}

Wed, 04 Mar 2026 22:00:00 +0000

Type Values Removed Values Added
First Time appeared Open-emr
Open-emr openemr
CPEs cpe:2.3:a:open-emr:openemr:*:*:*:*:*:*:*:*
Vendors & Products Open-emr
Open-emr openemr
Metrics cvssV3_1

{'score': 9.9, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:H'}

Wed, 04 Mar 2026 15:00:00 +0000

Type Values Removed Values Added
First Time appeared Openemr
Openemr openemr
Vendors & Products Openemr
Openemr openemr

Tue, 03 Mar 2026 22:15:00 +0000

Type Values Removed Values Added
Description OpenEMR is a free and open source electronic health records and medical practice management application. In 7.0.4 and earlier, the disposeDocument() method in EtherFaxActions.php allows authenticated users to write arbitrary content to arbitrary locations on the server filesystem. This vulnerability can be exploited to achieve Remote Code Execution (RCE) by uploading malicious PHP web shells.
Title OpenEMR Arbitrary File Write leading to Remote Code Execution
Weaknesses CWE-22
References
Metrics cvssV4_0

{'score': 8.7, 'vector': 'CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N'}

Subscriptions

Open-emr Openemr
Openemr Openemr
cve-icon MITRE

Status: PUBLISHED

Assigner: GitHub_M

Published:

Updated: 2026-03-04T21:22:26.896Z

Reserved: 2026-01-27T14:51:03.060Z

Link: CVE-2026-24848

cve-icon Vulnrichment

Updated: 2026-03-04T21:22:21.429Z

cve-icon NVD

Status : Analyzed

Published: 2026-03-03T22:16:28.293

Modified: 2026-03-04T21:58:33.060

Link: CVE-2026-24848

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-04-16T14:00:19Z

Weaknesses