CVE-2026-15477

Summary

A vulnerability was detected in Bahmni bahmnicore up to 0.93. This affects the function additionalParams of the file /openmrs/ws/rest/v1/bahmnicore/sql of the component Search Endpoint. Performing a manipulation of the argument test results in sql injection. The attack can be initiated remotely. The exploit is now public and may be used. Upgrading to version 0.93.1, 1.0.1, 1.1.1, 1.2.1, 1.3.1 and 2.0.1 mitigates this issue. Upgrading the affected component is recommended.

Affected Software

VendorProductVersion RangeStatus
Bahmnibahmnicore0.1affected
Bahmnibahmnicore0.2affected
Bahmnibahmnicore0.3affected
Bahmnibahmnicore0.4affected
Bahmnibahmnicore0.5affected
Bahmnibahmnicore0.6affected
Bahmnibahmnicore0.7affected
Bahmnibahmnicore0.8affected
Bahmnibahmnicore0.9affected
Bahmnibahmnicore0.10affected
Bahmnibahmnicore0.11affected
Bahmnibahmnicore0.12affected
Bahmnibahmnicore0.13affected
Bahmnibahmnicore0.14affected
Bahmnibahmnicore0.15affected
Bahmnibahmnicore0.16affected
Bahmnibahmnicore0.17affected
Bahmnibahmnicore0.18affected
Bahmnibahmnicore0.19affected
Bahmnibahmnicore0.20affected
Bahmnibahmnicore0.21affected
Bahmnibahmnicore0.22affected
Bahmnibahmnicore0.23affected
Bahmnibahmnicore0.24affected
Bahmnibahmnicore0.25affected
Bahmnibahmnicore0.26affected
Bahmnibahmnicore0.27affected
Bahmnibahmnicore0.28affected
Bahmnibahmnicore0.29affected
Bahmnibahmnicore0.30affected
Bahmnibahmnicore0.31affected
Bahmnibahmnicore0.32affected
Bahmnibahmnicore0.33affected
Bahmnibahmnicore0.34affected
Bahmnibahmnicore0.35affected
Bahmnibahmnicore0.36affected
Bahmnibahmnicore0.37affected
Bahmnibahmnicore0.38affected
Bahmnibahmnicore0.39affected
Bahmnibahmnicore0.40affected
Bahmnibahmnicore0.41affected
Bahmnibahmnicore0.42affected
Bahmnibahmnicore0.43affected
Bahmnibahmnicore0.44affected
Bahmnibahmnicore0.45affected
Bahmnibahmnicore0.46affected
Bahmnibahmnicore0.47affected
Bahmnibahmnicore0.48affected
Bahmnibahmnicore0.49affected
Bahmnibahmnicore0.50affected
Bahmnibahmnicore0.51affected
Bahmnibahmnicore0.52affected
Bahmnibahmnicore0.53affected
Bahmnibahmnicore0.54affected
Bahmnibahmnicore0.55affected
Bahmnibahmnicore0.56affected
Bahmnibahmnicore0.57affected
Bahmnibahmnicore0.58affected
Bahmnibahmnicore0.59affected
Bahmnibahmnicore0.60affected
Bahmnibahmnicore0.61affected
Bahmnibahmnicore0.62affected
Bahmnibahmnicore0.63affected
Bahmnibahmnicore0.64affected
Bahmnibahmnicore0.65affected
Bahmnibahmnicore0.66affected
Bahmnibahmnicore0.67affected
Bahmnibahmnicore0.68affected
Bahmnibahmnicore0.69affected
Bahmnibahmnicore0.70affected
Bahmnibahmnicore0.71affected
Bahmnibahmnicore0.72affected
Bahmnibahmnicore0.73affected
Bahmnibahmnicore0.74affected
Bahmnibahmnicore0.75affected
Bahmnibahmnicore0.76affected
Bahmnibahmnicore0.77affected
Bahmnibahmnicore0.78affected
Bahmnibahmnicore0.79affected
Bahmnibahmnicore0.80affected
Bahmnibahmnicore0.81affected
Bahmnibahmnicore0.82affected
Bahmnibahmnicore0.83affected
Bahmnibahmnicore0.84affected
Bahmnibahmnicore0.85affected
Bahmnibahmnicore0.86affected
Bahmnibahmnicore0.87affected
Bahmnibahmnicore0.88affected
Bahmnibahmnicore0.89affected
Bahmnibahmnicore0.90affected
Bahmnibahmnicore0.91affected
Bahmnibahmnicore0.92affected
Bahmnibahmnicore0.93affected
Bahmnibahmnicore0.93.1unaffected
Bahmnibahmnicore1.0.1unaffected
Bahmnibahmnicore1.1.1unaffected
Bahmnibahmnicore1.2.1unaffected
Bahmnibahmnicore1.3.1unaffected
Bahmnibahmnicore2.0.1unaffected

Weaknesses

  • CWE-89: SQL Injection
  • CWE-74: Injection

References