{"dataType": "CVE_RECORD", "dataVersion": "5.2", "cveMetadata": {"cveId": "CVE-2026-25928", "assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "state": "PUBLISHED", "assignerShortName": "GitHub_M", "dateReserved": "2026-02-09T16:22:17.785Z", "datePublished": "2026-03-19T19:27:17.018Z", "dateUpdated": "2026-03-19T19:27:17.018Z"}, "containers": {"cna": {"title": "OpenEMR Vulnerable to Path Traversal When Zipping DICOM Folders", "problemTypes": [{"descriptions": [{"cweId": "CWE-22", "lang": "en", "description": "CWE-22: Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal')", "type": "CWE"}]}], "metrics": [{"cvssV3_1": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "NONE", "baseScore": 6.5, "baseSeverity": "MEDIUM", "confidentialityImpact": "NONE", "integrityImpact": "HIGH", "privilegesRequired": "LOW", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:H/A:N", "version": "3.1"}}], "references": [{"name": "https://github.com/openemr/openemr/security/advisories/GHSA-rppw-f689-6hrm", "tags": ["x_refsource_CONFIRM"], "url": "https://github.com/openemr/openemr/security/advisories/GHSA-rppw-f689-6hrm"}, {"name": "https://github.com/openemr/openemr/commit/ddcf04ea769a33cdc1932355224575478df70585", "tags": ["x_refsource_MISC"], "url": "https://github.com/openemr/openemr/commit/ddcf04ea769a33cdc1932355224575478df70585"}], "affected": [{"vendor": "openemr", "product": "openemr", "versions": [{"version": "< 8.0.0.2", "status": "affected"}]}], "providerMetadata": {"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "shortName": "GitHub_M", "dateUpdated": "2026-03-19T19:27:17.018Z"}, "descriptions": [{"lang": "en", "value": "OpenEMR is a free and open source electronic health records and medical practice management application. Prior to 8.0.0.2, the DICOM zip/export feature uses a user-supplied destination or path component when creating the zip file, without sanitizing path traversal sequences (e.g. `../`). An attacker with DICOM upload/export permission can write files outside the intended directory, potentially under the web root, leading to arbitrary file write and possibly remote code execution if PHP or other executable files can be written. Version 8.0.0.2 fixes the issue."}], "source": {"advisory": "GHSA-rppw-f689-6hrm", "discovery": "UNKNOWN"}}}}

{}

{"cveTags": [], "descriptions": [{"lang": "en", "value": "OpenEMR is a free and open source electronic health records and medical practice management application. Prior to 8.0.0.2, the DICOM zip/export feature uses a user-supplied destination or path component when creating the zip file, without sanitizing path traversal sequences (e.g. `../`). An attacker with DICOM upload/export permission can write files outside the intended directory, potentially under the web root, leading to arbitrary file write and possibly remote code execution if PHP or other executable files can be written. Version 8.0.0.2 fixes the issue."}], "id": "CVE-2026-25928", "lastModified": "2026-03-20T13:39:46.493", "metrics": {"cvssMetricV31": [{"cvssData": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "NONE", "baseScore": 6.5, "baseSeverity": "MEDIUM", "confidentialityImpact": "NONE", "integrityImpact": "HIGH", "privilegesRequired": "LOW", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:H/A:N", "version": "3.1"}, "exploitabilityScore": 2.8, "impactScore": 3.6, "source": "security-advisories@github.com", "type": "Secondary"}]}, "published": "2026-03-19T20:16:13.720", "references": [{"source": "security-advisories@github.com", "url": "https://github.com/openemr/openemr/commit/ddcf04ea769a33cdc1932355224575478df70585"}, {"source": "security-advisories@github.com", "url": "https://github.com/openemr/openemr/security/advisories/GHSA-rppw-f689-6hrm"}], "sourceIdentifier": "security-advisories@github.com", "vulnStatus": "Awaiting Analysis", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-22"}], "source": "security-advisories@github.com", "type": "Primary"}]}

{}

{"affected": [{"configurations": [{"platform": null, "status": "affected", "versions": {"scheme": "generic", "value": "[0,8.0.0.2)"}}], "enrichment": {"confidence": 100.0, "confidence_source": "matching", "scores": [{"score": 100.0, "source": "matching"}]}, "original": {"product": "openemr", "source": "cna", "vendor": "openemr"}, "product": "openemr", "vendor": "openemr"}], "analysis": {"en": {"generated_at": "2026-03-19T20:20:56.381151+00:00", "value": {"mitigation_remediation": ["Apply the OpenEMR patch that brings the product to version 8.0.0.2 or later."], "summary": {"action": "Patch Now", "impact": "Arbitrary File Write (possible Remote Code Execution)"}, "threat_synthesis": {"affected_systems": "OpenEMR, version 8.0.0.1 and earlier, is affected. Versions 8.0.0.2 and later contain the fix. The product is identified as openemr:openemr by the CNA.", "description_and_impact": "OpenEMR\u2019s DICOM export functionality allows a user with upload/export rights to create a ZIP archive. The code constructs the archive path from user\u2011supplied input without sanitizing path traversal characters such as \u2018..\u2019. This permits the attacker to write files outside the intended export directory, including into the web root. If an executable file (e.g., PHP) is written, the attacker could achieve remote code execution. The vulnerability is classified as CWE\u201122 (Path Traversal).", "risk_and_exploitability": "The CVSS score is 6.5, indicating moderate severity. No EPSS estimate is provided and the vulnerability is not listed in the CISA KEV catalog, suggesting no known active exploitation at the time. Attack requires possession of DICOM upload/export rights. Given the lack of public exploit data, the immediate risk level is moderate, but the potential for remote code execution warrants prompt remediation."}}}}, "created": "2026-03-20T08:56:29.121691+00:00", "updated": "2026-03-20T11:06:39.121001+00:00", "vendors": ["openemr", "openemr$PRODUCT$openemr"]}