VYPR

Openemr

by Openemr

Source repositories

CVEs (217)

  • CVE-2018-15141MedAug 13, 2018
    risk 0.39cvss 6.5epss 0.14

    Directory traversal in portal/import_template.php in versions of OpenEMR before 5.0.1.4 allows a remote attacker authenticated in the patient portal to delete arbitrary files via the "docid" parameter when the mode is set to delete.

  • CVE-2021-47817MedJan 21, 2026
    risk 0.35cvss 5.4epss 0.01

    OpenEMR 5.0.2.1 contains a cross-site scripting vulnerability in user profile parameters that authenticated attackers can chain with a file upload to achieve remote code execution. Attackers can exploit the vulnerability by crafting a malicious payload to download and execute a…

  • CVE-2018-1000219MedAug 20, 2018
    risk 0.35cvss 5.4epss 0.01

    OpenEMR version v5_0_1_4 contains a Cross Site Scripting (XSS) vulnerability in The 'scan' parameter in line #41 of interface/fax/fax_view.php that can result in The vulnerability could allow remote authenticated attackers to inject arbitrary web script or HTML.. This attack…

  • CVE-2018-1000218MedAug 20, 2018
    risk 0.35cvss 5.4epss 0.01

    OpenEMR version v5_0_1_4 contains a Cross Site Scripting (XSS) vulnerability in The 'file' parameter in line #43 of interface/fax/fax_view.php that can result in The vulnerability could allow remote authenticated attackers to inject arbitrary web script or HTML.. This attack…

  • CVE-2017-1000240MedNov 17, 2017
    risk 0.35cvss 5.4epss 0.01

    The application OpenEMR is affected by multiple reflected & stored Cross-Site Scripting (XSS) vulnerabilities affecting version 5.0.0 and prior versions. These vulnerabilities could allow remote authenticated attackers to inject arbitrary web script or HTML.

  • CVE-2023-2948May 28, 2023
    risk 0.08cvss epss 0.97

    Cross-site Scripting (XSS) - Generic in GitHub repository openemr/openemr prior to 7.0.1.

  • CVE-2022-2733Aug 9, 2022
    risk 0.08cvss epss 0.96

    Cross-site Scripting (XSS) - Reflected in GitHub repository openemr/openemr prior to 7.0.0.1.

  • CVE-2019-14530Aug 13, 2019
    risk 0.08cvss epss 0.67

    An issue was discovered in custom/ajax_download.php in OpenEMR before 5.0.2 via the fileName parameter. An attacker can download any file (that is readable by the user www-data) from server storage. If the requested file is writable for the www-data user and the directory…

  • CVE-2023-2947May 27, 2023
    risk 0.07cvss epss 0.90

    Cross-site Scripting (XSS) - Stored in GitHub repository openemr/openemr prior to 7.0.1.

  • CVE-2021-25921Mar 22, 2021
    risk 0.07cvss epss 0.91

    In OpenEMR, versions 2.7.3-rc1 to 6.0.0 are vulnerable to Stored Cross-Site-Scripting (XSS) due to user input not being validated properly in the `Allergies` section. An attacker could lure an admin to enter a malicious payload and by that initiate the exploit.

  • CVE-2020-36243Feb 7, 2021
    risk 0.07cvss epss 0.64

    The Patient Portal of OpenEMR 5.0.2.1 is affected by a Command Injection vulnerability in /interface/main/backup.php. To exploit the vulnerability, an authenticated attacker can send a POST request that executes arbitrary OS commands via shell metacharacters.

  • CVE-2022-1179Mar 30, 2022
    risk 0.06cvss epss 0.77

    Non-Privilege User Can Created New Rule and Lead to Stored Cross Site Scripting in GitHub repository openemr/openemr prior to 6.0.0.4.

  • CVE-2021-25919Mar 22, 2021
    risk 0.06cvss epss 0.70

    In OpenEMR, versions 5.0.2 to 6.0.0 are vulnerable to Stored Cross-Site-Scripting (XSS) due to user input not being validated properly. A highly privileged attacker could inject arbitrary code into input fields when creating a new user.

  • CVE-2013-10044Aug 1, 2025
    risk 0.04cvss epss 0.01

    An authenticated SQL injection vulnerability exists in OpenEMR ≤ 4.1.1 Patch 14 that allows a low-privileged attacker to extract administrator credentials and subsequently escalate privileges. Once elevated, the attacker can exploit an unrestricted file upload flaw to achieve…

  • CVE-2022-1181Mar 30, 2022
    risk 0.04cvss epss 0.51

    Stored Cross Site Scripting in GitHub repository openemr/openemr prior to 6.0.0.2.

  • CVE-2022-1178Mar 30, 2022
    risk 0.04cvss epss 0.52

    Stored Cross Site Scripting in GitHub repository openemr/openemr prior to 6.0.0.4.

  • CVE-2019-3968Aug 20, 2019
    risk 0.04cvss epss 0.10

    In OpenEMR 5.0.1 and earlier, an authenticated attacker can execute arbitrary commands on the host system via the Scanned Forms interface when creating a new form.

  • CVE-2018-17179May 17, 2019
    risk 0.04cvss epss 0.12

    An issue was discovered in OpenEMR before 5.0.1 Patch 7. There is SQL Injection in the make_task function in /interface/forms/eye_mag/php/taskman_functions.php via /interface/forms/eye_mag/taskman.php.

  • CVE-2012-0991Feb 7, 2012
    risk 0.04cvss epss 0.11

    Multiple directory traversal vulnerabilities in OpenEMR 4.1.0 allow remote authenticated users to read arbitrary files via a .. (dot dot) in the formname parameter to (1) contrib/acog/print_form.php; or (2) load_form.php, (3) view_form.php, or (4) trend_form.php in…

  • CVE-2026-24849Feb 25, 2026
    risk 0.03cvss epss 0.02

    OpenEMR is a free and open source electronic health records and medical practice management application. Prior to version 7.0.4, the `disposeDocument()` method in `EtherFaxActions.php` allows authenticated users to read arbitrary files from the server filesystem. Any…

Page 2 of 11