KEVIntel
PRO Back to KEVs
10.0
CVSS
Critical

CVE-2018-19276

PUBLISHED

OpenMRS before 2.24.0 is affected by an Insecure Object Deserialization vulnerability that allows an unauthenticated user to execute arbitrary...

PoC available Remote Low complexity No user interaction
Vendor
OpenMRS
Product
OpenMRS
Published
Mar 17, 2019
EPSS

Automate this intelligence with the Pro API

Everything on this page — CVSS, EPSS, exploit status, PoCs, scanner integrations, mentions, tags, and immediate honeypot data — is available programmatically for VM, SOC, and CTI workflows.

Learn about Pro

Description

OpenMRS before 2.24.0 is affected by an Insecure Object Deserialization vulnerability that allows an unauthenticated user to execute arbitrary commands on the targeted system via crafted XML data in a request body.

nuclei_scanner

CVSS scores

CVSS v3.0 10.0 Critical

CVSS:3.0/AC:L/AV:N/A:H/C:H/I:H/PR:N/S:C/UI:N

Exploitation status

Proof of concept available

Recorded 2019-03-11 21:28:55 UTC · GitHub

References

Known exploited vulnerability sources

Catalogues that list this CVE as a known exploited vulnerability.

Source Added
The Shadowserver (via CIRCL) First 2025-06-21 00:00 UTC

Scanner integrations

Scanner Reference Detected
Nuclei https://github.com/projectdiscovery/nuclei-templates/blob/main/http/cves/2018/CVE-2018-19276.yaml Jun 02, 2025
Metasploit https://github.com/rapid7/metasploit-framework/blob/master/modules/exploits/multi/http/openmrs_deserialization.rb Apr 28, 2025

Potential proof of concepts

These PoCs are unverified and could contain malware. Use at your own risk.

mpgn/CVE-2018-19276

github · Created 2019-03-11 21:28:55 UTC · 16 stars

CVE-2018-19276 - OpenMRS Insecure Object Deserialization RCE

openmrs_deserialization

metasploit · Created Unknown

Metasploit module for CVE-2018-19276

Timeline

  • CVE ID Reserved

  • Proof of Concept Exploit Available

  • CVE Published to Public

  • Detected by Metasploit

  • Detected by Nuclei

  • Added to KEVIntel