Openemr
by Openemr
Source repositories
CVEs (217)
| CVE | Vendor / Product | Sev | Risk | CVSS | EPSS | KEV | Published | Description |
|---|---|---|---|---|---|---|---|---|
| CVE-2026-34056 | 0.00 | — | 0.00 | Mar 25, 2026 | OpenEMR is a free and open source electronic health records and medical practice management application. A Broken Access Control vulnerability in OpenEMR up to and including version 8.0.0.3 allows low-privilege users to view and download Ensora eRx error logs without proper… | |||
| CVE-2026-34055 | 0.00 | — | 0.00 | Mar 25, 2026 | OpenEMR is a free and open source electronic health records and medical practice management application. Prior to version 8.0.0.3, the legacy patient notes functions in `library/pnotes.inc.php` perform updates and deletes using `WHERE id = ?` without verifying that the note… | |||
| CVE-2026-34053 | 0.00 | — | 0.00 | Mar 25, 2026 | OpenEMR is a free and open source electronic health records and medical practice management application. Prior to version 8.0.0.3, missing authorization in the AJAX deletion endpoint `interface/forms/procedure_order/handle_deletions.php` allows any authenticated user, regardless… | |||
| CVE-2026-34051 | 0.00 | — | 0.00 | Mar 25, 2026 | OpenEMR is a free and open source electronic health records and medical practice management application. Versions prior to 8.0.0.3 have an improper access control on the Import/Export functionality, allowing unauthorized users to perform import and export actions through direct… | |||
| CVE-2026-33934 | 0.00 | — | 0.00 | Mar 25, 2026 | OpenEMR is a free and open source electronic health records and medical practice management application. Versions prior to 8.0.0.3 have a missing authorization check in `portal/sign/lib/show-signature.php` that allows any authenticated patient portal user to retrieve the drawn… | |||
| CVE-2026-33933 | 0.00 | — | 0.00 | Mar 25, 2026 | OpenEMR is a free and open source electronic health records and medical practice management application. Starting in version 7.0.2.1 and prior to version 8.0.0.3, a reflected cross-site scripting (XSS) vulnerability in the custom template editor allows an attacker to execute… | |||
| CVE-2026-33932 | 0.00 | — | 0.00 | Mar 25, 2026 | OpenEMR is a free and open source electronic health records and medical practice management application. Prior to version 8.0.0.3, a stored cross-site scripting vulnerability in the CCDA document preview allows an attacker who can upload or send a CCDA document to execute… | |||
| CVE-2026-33931 | 0.00 | — | 0.00 | Mar 25, 2026 | OpenEMR is a free and open source electronic health records and medical practice management application. Prior to version 8.0.0.3, an Insecure Direct Object Reference (IDOR) vulnerability in the patient portal payment page allows any authenticated portal patient to access other… | |||
| CVE-2026-33918 | 0.00 | — | 0.00 | Mar 25, 2026 | OpenEMR is a free and open source electronic health records and medical practice management application. Prior to version 8.0.0.3, the billing file-download endpoint `interface/billing/get_claim_file.php` only verifies that the caller has a valid session and CSRF token, but does… | |||
| CVE-2026-33917 | 0.00 | — | 0.00 | Mar 25, 2026 | OpenEMR is a free and open source electronic health records and medical practice management application. Versions prior to 8.0.0.3 contais a SQL injection vulnerability in the ajax_save CAMOS form that can be exploited by authenticated attackers. The vulnerability exists due to… | |||
| CVE-2026-33915 | 0.00 | — | 0.00 | Mar 25, 2026 | OpenEMR is a free and open source electronic health records and medical practice management application. Prior to version 8.0.0.3, five insurance company REST API routes are missing the `RestConfig::request_authorization_check()` call that every other data-modifying route in the… | |||
| CVE-2026-33914 | 0.00 | — | 0.00 | Mar 25, 2026 | OpenEMR is a free and open source electronic health records and medical practice management application. Prior to version 8.0.0.3, the PostCalendar module contains a blind SQL injection vulnerability in the `categoriesUpdate` administrative function. The `dels` POST parameter is… | |||
| CVE-2026-33913 | 0.00 | — | 0.00 | Mar 25, 2026 | OpenEMR is a free and open source electronic health records and medical practice management application. Prior to version 8.0.0.3, an authenticated user with access to the Carecoordination module can upload a crafted CCDA document containing `<xi:include… | |||
| CVE-2026-33912 | 0.00 | — | 0.00 | Mar 25, 2026 | OpenEMR is a free and open source electronic health records and medical practice management application. Prior to version 8.0.0.3, an authenticated attacker could craft a malicious form that, when submitted by a victim, executes arbitrary JavaScript in the victim's browser… | |||
| CVE-2026-33911 | 0.00 | — | 0.00 | Mar 25, 2026 | OpenEMR is a free and open source electronic health records and medical practice management application. Prior to version 8.0.0.3, the POST parameter `title` is reflected back in a JSON response built with `json_encode()`. Because the response is served with a `text/html`… | |||
| CVE-2026-33910 | 0.00 | — | 0.00 | Mar 25, 2026 | OpenEMR is a free and open source electronic health records and medical practice management application. Versions up to and including 8.0.0.2 contain a SQL injection vulnerability in the patient selection feature that can be exploited by authenticated attackers. The… | |||
| CVE-2026-33909 | 0.00 | — | 0.00 | Mar 25, 2026 | OpenEMR is a free and open source electronic health records and medical practice management application. Prior to version 8.0.0.3, several variables in the MedEx recall/reminder processing code are concatenated directly into SQL queries without parameterization or type casting,… | |||
| CVE-2026-33348 | 0.00 | — | 0.00 | Mar 25, 2026 | OpenEMR is a free and open source electronic health records and medical practice management application. Users with the `Notes - my encounters` role can fill Eye Exam forms in patient encounters. The answers to the form are displayed on the encounter page and in the visit… | |||
| CVE-2026-32120 | 0.00 | — | 0.00 | Mar 25, 2026 | OpenEMR is a free and open source electronic health records and medical practice management application. Prior to version 8.0.0.3, an Insecure Direct Object Reference (IDOR) vulnerability in the fee sheet product save logic (`library/FeeSheet.class.php`) allows any authenticated… | |||
| CVE-2026-29187 | 0.00 | — | 0.00 | Mar 25, 2026 | OpenEMR is a free and open source electronic health records and medical practice management application. Prior to version 8.0.0.3, a Blind SQL Injection vulnerability exists in the Patient Search functionality (/interface/new/new_search_popup.php). The vulnerability allows an… |
- CVE-2026-34056Mar 25, 2026risk 0.00cvss —epss 0.00
OpenEMR is a free and open source electronic health records and medical practice management application. A Broken Access Control vulnerability in OpenEMR up to and including version 8.0.0.3 allows low-privilege users to view and download Ensora eRx error logs without proper…
- CVE-2026-34055Mar 25, 2026risk 0.00cvss —epss 0.00
OpenEMR is a free and open source electronic health records and medical practice management application. Prior to version 8.0.0.3, the legacy patient notes functions in `library/pnotes.inc.php` perform updates and deletes using `WHERE id = ?` without verifying that the note…
- CVE-2026-34053Mar 25, 2026risk 0.00cvss —epss 0.00
OpenEMR is a free and open source electronic health records and medical practice management application. Prior to version 8.0.0.3, missing authorization in the AJAX deletion endpoint `interface/forms/procedure_order/handle_deletions.php` allows any authenticated user, regardless…
- CVE-2026-34051Mar 25, 2026risk 0.00cvss —epss 0.00
OpenEMR is a free and open source electronic health records and medical practice management application. Versions prior to 8.0.0.3 have an improper access control on the Import/Export functionality, allowing unauthorized users to perform import and export actions through direct…
- CVE-2026-33934Mar 25, 2026risk 0.00cvss —epss 0.00
OpenEMR is a free and open source electronic health records and medical practice management application. Versions prior to 8.0.0.3 have a missing authorization check in `portal/sign/lib/show-signature.php` that allows any authenticated patient portal user to retrieve the drawn…
- CVE-2026-33933Mar 25, 2026risk 0.00cvss —epss 0.00
OpenEMR is a free and open source electronic health records and medical practice management application. Starting in version 7.0.2.1 and prior to version 8.0.0.3, a reflected cross-site scripting (XSS) vulnerability in the custom template editor allows an attacker to execute…
- CVE-2026-33932Mar 25, 2026risk 0.00cvss —epss 0.00
OpenEMR is a free and open source electronic health records and medical practice management application. Prior to version 8.0.0.3, a stored cross-site scripting vulnerability in the CCDA document preview allows an attacker who can upload or send a CCDA document to execute…
- CVE-2026-33931Mar 25, 2026risk 0.00cvss —epss 0.00
OpenEMR is a free and open source electronic health records and medical practice management application. Prior to version 8.0.0.3, an Insecure Direct Object Reference (IDOR) vulnerability in the patient portal payment page allows any authenticated portal patient to access other…
- CVE-2026-33918Mar 25, 2026risk 0.00cvss —epss 0.00
OpenEMR is a free and open source electronic health records and medical practice management application. Prior to version 8.0.0.3, the billing file-download endpoint `interface/billing/get_claim_file.php` only verifies that the caller has a valid session and CSRF token, but does…
- CVE-2026-33917Mar 25, 2026risk 0.00cvss —epss 0.00
OpenEMR is a free and open source electronic health records and medical practice management application. Versions prior to 8.0.0.3 contais a SQL injection vulnerability in the ajax_save CAMOS form that can be exploited by authenticated attackers. The vulnerability exists due to…
- CVE-2026-33915Mar 25, 2026risk 0.00cvss —epss 0.00
OpenEMR is a free and open source electronic health records and medical practice management application. Prior to version 8.0.0.3, five insurance company REST API routes are missing the `RestConfig::request_authorization_check()` call that every other data-modifying route in the…
- CVE-2026-33914Mar 25, 2026risk 0.00cvss —epss 0.00
OpenEMR is a free and open source electronic health records and medical practice management application. Prior to version 8.0.0.3, the PostCalendar module contains a blind SQL injection vulnerability in the `categoriesUpdate` administrative function. The `dels` POST parameter is…
- CVE-2026-33913Mar 25, 2026risk 0.00cvss —epss 0.00
OpenEMR is a free and open source electronic health records and medical practice management application. Prior to version 8.0.0.3, an authenticated user with access to the Carecoordination module can upload a crafted CCDA document containing `<xi:include…
- CVE-2026-33912Mar 25, 2026risk 0.00cvss —epss 0.00
OpenEMR is a free and open source electronic health records and medical practice management application. Prior to version 8.0.0.3, an authenticated attacker could craft a malicious form that, when submitted by a victim, executes arbitrary JavaScript in the victim's browser…
- CVE-2026-33911Mar 25, 2026risk 0.00cvss —epss 0.00
OpenEMR is a free and open source electronic health records and medical practice management application. Prior to version 8.0.0.3, the POST parameter `title` is reflected back in a JSON response built with `json_encode()`. Because the response is served with a `text/html`…
- CVE-2026-33910Mar 25, 2026risk 0.00cvss —epss 0.00
OpenEMR is a free and open source electronic health records and medical practice management application. Versions up to and including 8.0.0.2 contain a SQL injection vulnerability in the patient selection feature that can be exploited by authenticated attackers. The…
- CVE-2026-33909Mar 25, 2026risk 0.00cvss —epss 0.00
OpenEMR is a free and open source electronic health records and medical practice management application. Prior to version 8.0.0.3, several variables in the MedEx recall/reminder processing code are concatenated directly into SQL queries without parameterization or type casting,…
- CVE-2026-33348Mar 25, 2026risk 0.00cvss —epss 0.00
OpenEMR is a free and open source electronic health records and medical practice management application. Users with the `Notes - my encounters` role can fill Eye Exam forms in patient encounters. The answers to the form are displayed on the encounter page and in the visit…
- CVE-2026-32120Mar 25, 2026risk 0.00cvss —epss 0.00
OpenEMR is a free and open source electronic health records and medical practice management application. Prior to version 8.0.0.3, an Insecure Direct Object Reference (IDOR) vulnerability in the fee sheet product save logic (`library/FeeSheet.class.php`) allows any authenticated…
- CVE-2026-29187Mar 25, 2026risk 0.00cvss —epss 0.00
OpenEMR is a free and open source electronic health records and medical practice management application. Prior to version 8.0.0.3, a Blind SQL Injection vulnerability exists in the Patient Search functionality (/interface/new/new_search_popup.php). The vulnerability allows an…
Page 4 of 11