CVE-2026-24848
OpenEMR Arbitrary File Write leading to Remote Code Execution
CVSS Score
0.0
EPSS Score
0.0%
EPSS Percentile
0th
OpenEMR is a free and open source electronic health records and medical practice management application. In 7.0.4 and earlier, the disposeDocument() method in EtherFaxActions.php allows authenticated users to write arbitrary content to arbitrary locations on the server filesystem. This vulnerability can be exploited to achieve Remote Code Execution (RCE) by uploading malicious PHP web shells.
| CWE | CWE-22 |
| Vendor | openemr |
| Product | openemr |
| Published | Mar 3, 2026 |
| Last Updated | Mar 4, 2026 |
Stay Ahead of the Next One
Get instant alerts for openemr openemr
Be the first to know when new unknown vulnerabilities affecting openemr openemr are published โ delivered to Slack, Telegram or Discord.
Get Free Alerts โ
Free ยท No credit card ยท 60 sec setup
Affected Versions
openemr / openemr
<= 7.0.4