Code Injection in OpenMRS - CVE-2026-41258
Published: May 4, 2026
Vulnerability identifier: #VU129554
CSH Severity: Low
CVSS v4.0: CVSS:4.0/AV:N/AC:L/AT:N/PR:H/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:U/U:Clear
CVE-ID: CVE-2026-41258
CWE-ID: CWE-94
Exploitation vector: Remote access
Exploit availability:
No public exploit available
Vendor: OpenMRS
Affected software:
OpenMRS
OpenMRS
Detailed vulnerability description
The vulnerability allows a remote user to execute arbitrary code.
The vulnerability exists due to improper control of code generation in ConceptReferenceRangeUtility.evaluateCriteria() when evaluating database-stored criteria strings as Apache Velocity templates. A remote privileged user can store a malicious Velocity template expression in a concept's reference range criteria field to execute arbitrary code.
The payload is executed automatically whenever an observation is validated against the affected concept, and the template context exposes patient and observation objects as well as the utility instance with access to the service layer.
How to mitigate CVE-2026-41258
Install security update from vendor's website.