Unrated severityNVD Advisory· Published Feb 25, 2026· Updated Feb 26, 2026

OpenEMR has SQL Injection in Patient API Sort Parameter

CVE-2026-24908

Description

OpenEMR is a free and open source electronic health records and medical practice management application. Prior to version 8.0.0, an SQL injection vulnerability in the Patient REST API endpoint allows authenticated users with API access to execute arbitrary SQL queries through the _sort parameter. This could potentially lead to database access, PHI (Protected Health Information) exposure, and credential compromise. The issue occurs when user-supplied sort field names are used in ORDER BY clauses without proper validation or identifier escaping. Version 8.0.0 fixes the issue.

Affected products

Openemr/Openemrv5
Range: < 8.0.0

Patches

No patches discovered yet.

Vulnerability mechanics

AI mechanics synthesis has not run for this CVE yet.

References

github.com/openemr/openemr/commit/943e23cad6e979f87cdf168807fce2a7b32dd194mitrex_refsource_MISC
github.com/openemr/openemr/security/advisories/GHSA-rcc2-45v3-qmqmmitrex_refsource_CONFIRM

News mentions

⚡ Weekly Recap: AI-Powered Phishing, Android Spying Tool, Linux Exploit, GitHub RCE & More
The Hacker News · May 4, 2026

cvss	0.000
epss	0.000
exploit	0.000
kev	0.000
patch	0.000
ransomware	0.000