CVE-2013-10044 HIGH

CVE-2013-10044: OpenEMR ≤ 4.1.1 SQL Injection Privilege Escalation and RCE

Vendor Openemr Foundation

Product OpenEMR

Weakness CWE-89 · SQLi

Published August 1, 2025

Last update May 15, 2026

View on NVD All CVEs

CVSS base score

8.7/10

Attack vector Network

Attack complexity Low

Privileges required Low

User interaction None

Confidentiality —

Integrity —

CVSS vector

CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N

What the vulnerability does

01Description

An authenticated SQL injection vulnerability exists in OpenEMR ≤ 4.1.1 Patch 14 that allows a low-privileged attacker to extract administrator credentials and subsequently escalate privileges. Once elevated, the attacker can exploit an unrestricted file upload flaw to achieve remote code execution, resulting in full compromise of the application and its host system.

Key dates

02Disclosure timeline

August 1, 2025 CVE published

May 15, 2026 Record updated

External resources

03References

NVD — National Vulnerability Database https://nvd.nist.gov/vuln/detail/CVE-2013-10044

Related vulnerabilities

CVE-2013-10044: OpenEMR ≤ 4.1.1 SQL Injection Privilege Escalation and RCE

01Description

02Disclosure timeline

03References

04Related CVE