PatchSiren

openmrs CVE debriefs

These pages are published after PatchSiren validates generated defensive summaries against stored public CVE and source evidence.

CRITICAL openmrs CVE published 2026-05-15

CVE-2026-41258

A critical remote code execution vulnerability exists in OpenMRS Core versions 2.7.0 through 2.7.8 and 2.8.0 through 2.8.5. The ConceptReferenceRangeUtility.evaluateCriteria() method evaluates database-stored criteria strings as Apache Velocity templates without sandboxing. The VelocityEngine is initialized with only logging properties and noSecureUberspector, leaving the default UberspectImpl in place, w [truncated]