VIR Vulnerability Intelligence Relay

CVE-2026-40076

high
Published 2026-05-06 · Modified 2026-05-08
CVSS v3
8.8
CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:C/C:H/I:H/A:N
CVSS v2
VIR risk
8.8

Description

OpenMRS Module Upload Vulnerable to Path Traversal (Zip Slip)

Predictions

Exploit likelihood
92%
Patch ETA

Heuristic predictions, AS-IS, for prioritization only.

Mitigations

vendor Authored 2026-05-27

Vendor advisory: security-advisories@github.com — https://github.com/openmrs/openmrs-core/security/advisories/GHSA-78fc-9688-w8xw

Package impact
EcosystemPackageVulnerableFixed
java Mavenorg.openmrs.web:openmrs-web<=2.7.8
java Mavenorg.openmrs.web:openmrs-web>=2.8.0,<=2.8.5
java MAVENorg.openmrs.web:openmrs-web>= 2.8.0, <= 2.8.5
java MAVENorg.openmrs.web:openmrs-web<= 2.7.8

Application impact
VendorProductVersionsFixed
openmrsopenmrs{"endIncluding":"2.7.8"}

References

CWEs

CWE-22

Verify integrity in audit chain (admin only). AS-IS.