VIR Vulnerability Intelligence Relay

CVE-2026-40075

high
Published 2026-05-05 · Modified 2026-05-08
CVSS v3
7.5
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N
CVSS v2
VIR risk
7.5

Description

OpenMRS ModuleResourcesServlet has Path Traversal that Leads to Arbitrary File Read

Predictions

Exploit likelihood
83%
Patch ETA

Heuristic predictions, AS-IS, for prioritization only.

Mitigations

vendor Authored 2026-05-27

Vendor advisory: security-advisories@github.com — https://github.com/openmrs/openmrs-core/security/advisories/GHSA-jjgj-cx3q-pw4w

Package impact
EcosystemPackageVulnerableFixed
java Mavenorg.openmrs.web:openmrs-web<=2.7.8
java Mavenorg.openmrs.web:openmrs-web>=2.8.0,<2.8.62.8.6
java MAVENorg.openmrs.web:openmrs-web>= 2.8.0, <= 2.8.52.8.6
java MAVENorg.openmrs.web:openmrs-web<= 2.7.8

Application impact
VendorProductVersionsFixed
openmrsopenmrs{"endIncluding":"2.7.8"}

References

CWEs

CWE-22

Verify integrity in audit chain (admin only). AS-IS.