CVE-2013-10044
OpenEMR ≤ 4.1.1 SQL Injection Privilege Escalation and RCE
CVSS Score
0.0
EPSS Score
0.0%
EPSS Percentile
0th
An authenticated SQL injection vulnerability exists in OpenEMR ≤ 4.1.1 Patch 14 that allows a low-privileged attacker to extract administrator credentials and subsequently escalate privileges. Once elevated, the attacker can exploit an unrestricted file upload flaw to achieve remote code execution, resulting in full compromise of the application and its host system.
| CWE | CWE-89 CWE-434 |
| Vendor | openemr foundation |
| Product | openemr |
| Published | Aug 1, 2025 |
| Last Updated | Apr 7, 2026 |
Stay Ahead of the Next One
Get instant alerts for openemr foundation openemr
Be the first to know when new unknown vulnerabilities affecting openemr foundation openemr are published — delivered to Slack, Telegram or Discord.
Get Free Alerts →
Free · No credit card · 60 sec setup
Affected Versions
OpenEMR Foundation / OpenEMR
* ≤ 4.1.1 Patch 14
References
raw.githubusercontent.com: https://raw.githubusercontent.com/rapid7/metasploit-framework/master/modules/exploits/unix/webapp/openemr_sqli_privesc_upload.rb exploit-db.com: https://www.exploit-db.com/exploits/28329 exploit-db.com: https://www.exploit-db.com/exploits/28408 open-emr.org: https://www.open-emr.org/ github.com: https://github.com/openemr/openemr vulncheck.com: https://www.vulncheck.com/advisories/openemr-sqli-priv-esc-rce
Credits
xistence