Unrated severityNVD Advisory· Published Feb 25, 2026· Updated Feb 26, 2026

OpenEMR has SQL Injection in Immunization Search/Report

CVE-2026-23627

Description

OpenEMR is a free and open source electronic health records and medical practice management application. Prior to version 8.0.0, an SQL injection vulnerability in the Immunization module allows any authenticated user to execute arbitrary SQL queries, leading to complete database compromise, PHI exfiltration, credential theft, and potential remote code execution. The vulnerability exists because user-supplied patient_id values are directly concatenated into SQL WHERE clauses without parameterization or escaping. Version 8.0.0 patches the issue.

Affected products

Openemr/Openemrv5
Range: < 8.0.0

Patches

No patches discovered yet.

Vulnerability mechanics

AI mechanics synthesis has not run for this CVE yet.

References

github.com/openemr/openemr/commit/cbf4ea4345b14a6c8362201e30c74ffb0949cdb1mitrex_refsource_MISC
github.com/openemr/openemr/security/advisories/GHSA-x3hw-rwrg-v25hmitrex_refsource_CONFIRM

News mentions

⚡ Weekly Recap: AI-Powered Phishing, Android Spying Tool, Linux Exploit, GitHub RCE & More
The Hacker News · May 4, 2026

cvss	0.000
epss	0.000
exploit	0.000
kev	0.000
patch	0.000
ransomware	0.000