Skip to main content
COSMICBYTEZLABS
NewsSecurityHOWTOsToolsTraining
StudyProjectsNewsletterHire MeAbout
Subscribe

Press Enter to search or Esc to close

News
Security
HOWTOs
Tools
Training
Study
Projects
Newsletter
Hire Me
About
RSS Feed
Reading List
Subscribe

Stay in the Loop

Get the latest security alerts, tutorials, and tech insights delivered to your inbox.

Subscribe NowFree forever. No spam.
COSMICBYTEZLABS

Your trusted source for IT intelligence, cybersecurity insights, and hands-on technical guides.

1814+ Articles
149+ Guides

CONTENT

  • Latest News
  • Security Alerts
  • HOWTOs
  • Checklists
  • Projects
  • Exam Prep

RESOURCES

  • Search
  • Browse Tags
  • Newsletter Archive
  • Reading List
  • RSS Feed

COMPANY

  • About Us
  • Contact
  • Privacy Policy
  • Terms of Service

© 2026 CosmicBytez Labs. All rights reserved.

System Status: Operational
  1. Home
  2. Security
  3. CVE-2026-41258: OpenMRS Velocity Template Injection Enables
CVE-2026-41258: OpenMRS Velocity Template Injection Enables

Critical Security Alert

This vulnerability is actively being exploited. Immediate action is recommended.

SECURITYCRITICALCVE-2026-41258

CVE-2026-41258: OpenMRS Velocity Template Injection Enables

A critical unsandboxed Apache Velocity template injection vulnerability in OpenMRS Core allows authenticated attackers to execute arbitrary code on the...

Dylan H.

Security Team

May 16, 2026
3 min read

Affected Products

  • OpenMRS Core 2.7.0 – 2.7.8, 2.8.0 – 2.8.5

Overview

A critical-severity remote code execution vulnerability has been disclosed in OpenMRS Core, the widely deployed open-source electronic medical record platform. The flaw, tracked as CVE-2026-41258 with a CVSS score of 9.1, stems from the evaluation of database-stored strings as unsandboxed Apache Velocity templates in the ConceptReferenceRangeUtility.evaluateCriteria() method.

Technical Details

The ConceptReferenceRangeUtility.evaluateCriteria() method retrieves criteria strings from the OpenMRS database and passes them directly to the Apache Velocity template engine without any sandbox configuration. This allows an attacker who can influence these database-stored criteria — through legitimate application features or a prior SQL injection — to inject and execute arbitrary Velocity template expressions on the server.

Apache Velocity templates have access to the JVM runtime environment by default when no SecureUberspector or similar sandbox is enforced. This makes it possible to chain template directives to spawn system processes, read files, or establish reverse shells.

Attack chain:

  1. Attacker gains access to modify concept reference range criteria (authenticated role or secondary injection)
  2. Malicious Velocity template directive inserted into the criteria string
  3. OpenMRS Core evaluates the stored string server-side via Velocity
  4. Arbitrary code executes with the privileges of the OpenMRS application server

Affected Versions

BranchAffected RangeFixed In
2.7.x2.7.0 – 2.7.82.7.9
2.8.x2.8.0 – 2.8.52.8.6

Versions prior to 2.7.0 may also be affected but have not been assessed.

Impact

OpenMRS is used extensively across low- and middle-income countries for hospital and clinic patient management, often handling sensitive protected health information (PHI). Successful exploitation could result in:

  • Full server compromise and lateral movement within the hospital network
  • Exfiltration of patient records including diagnoses, medications, and personally identifiable information
  • Ransomware deployment against healthcare infrastructure
  • Disruption of clinical operations

Remediation

Upgrade immediately to the patched releases:

  • OpenMRS Core 2.7.9 or later
  • OpenMRS Core 2.8.6 or later

If an immediate upgrade is not possible, consider the following mitigations:

  1. Restrict database-level write access to the concept reference range tables to trusted administrative accounts only
  2. Enable database auditing to detect unauthorized modifications to criteria strings
  3. Apply network segmentation to limit the attack surface around the OpenMRS application server
  4. Monitor application logs for unexpected Velocity template evaluation errors

References

  • NVD — CVE-2026-41258
  • OpenMRS Security Advisories
  • Apache Velocity Security Guidance

Related Reading

  • CVE-2025-68613: n8n Remote Code Execution via Improper
  • CVE-2026-32604: Spinnaker Clouddriver Remote Code Execution
  • CVE-2026-32613: Spinnaker Echo Spring Expression Language
#CVE#OpenMRS#RCE#Template Injection#Healthcare#Critical

Related Articles

CVE-2026-9558: Critical SSTI in Mautic Enables Authenticated RCE

A Server-Side Template Injection flaw in Mautic's Twig-based theme engine allows authenticated users with theme upload permissions to execute arbitrary...

3 min read

CVE-2026-54352: Budibase Zip Upload Path Traversal Enables Remote Code Execution (CVSS 9.6)

A critical path traversal vulnerability in Budibase's zip upload endpoint allows attackers to write arbitrary files outside the intended temp directory,...

3 min read

CVE-2026-54414: FileRise Path Traversal Enables Arbitrary File Write and Admin Takeover

A critical path traversal vulnerability in FileRise before 3.16.0 allows unauthenticated attackers to write arbitrary files and completely compromise...

5 min read
Back to all Security Alerts