VYPR

Openemr

by Openemr

Source repositories

CVEs (217)

  • CVE-2026-33346Mar 19, 2026
    risk 0.00cvss epss 0.00

    OpenEMR is a free and open source electronic health records and medical practice management application. Prior to 8.0.0.2, a stored cross-site scripting (XSS) vulnerability in the patient portal payment flow allows a patient portal user to persist arbitrary JavaScript that…

  • CVE-2026-33305Mar 19, 2026
    risk 0.00cvss epss 0.00

    OpenEMR is a free and open source electronic health records and medical practice management application. Prior to 8.0.0.2, an authorization bypass in the optional FaxSMS module (`oe-module-faxsms`) allows any authenticated OpenEMR user to invoke controller methods — including…

  • CVE-2026-33304Mar 19, 2026
    risk 0.00cvss epss 0.00

    OpenEMR is a free and open source electronic health records and medical practice management application. Prior to 8.0.0.2, an authorization bypass in the dated reminders log allows any authenticated non-admin user to view reminder messages belonging to other users, including…

  • CVE-2026-33303Mar 19, 2026
    risk 0.00cvss epss 0.00

    OpenEMR is a free and open source electronic health records and medical practice management application. Versions prior to 8.0.0.2 are vulnerable to stored cross-site scripting (XSS) via unescaped `portal_login_username` in the portal credential print view. A patient portal user…

  • CVE-2026-33302Mar 19, 2026
    risk 0.00cvss epss 0.00

    OpenEMR is a free and open source electronic health records and medical practice management application. Prior to 8.0.0.2, the module ACL function `AclMain::zhAclCheck()` only checks for the presence of any "allow" (user or group). It never checks for explicit "deny"…

  • CVE-2026-33321Mar 19, 2026
    risk 0.00cvss epss 0.00

    OpenEMR is a free and open source electronic health records and medical practice management application. Prior to 8.0.0.2, users with the `Notes - my encounters` role can fill Eye Exam forms in patient encounters. The answers to the form can be printed out in PDF form. An…

  • CVE-2026-33301Mar 19, 2026
    risk 0.00cvss epss 0.00

    OpenEMR is a free and open source electronic health records and medical practice management application. Prior to 8.0.0.2, users with the `Notes - my encounters` role can fill Eye Exam forms in patient encounters. The answers to the form can be printed out in PDF form. An…

  • CVE-2026-33299Mar 19, 2026
    risk 0.00cvss epss 0.00

    OpenEMR is a free and open source electronic health records and medical practice management application. Prior to 8.0.0.2, users with the `Notes - my encounters` role can fill **Eye Exam** forms in patient encounters. The answers to the form are displayed on the encounter page…

  • CVE-2026-32119Mar 19, 2026
    risk 0.00cvss epss 0.00

    OpenEMR is a free and open source electronic health records and medical practice management application. Prior to 8.0.0.2, DOM-based stored XSS in the jQuery SearchHighlight plugin (`library/js/SearchHighlight.js`) allows an authenticated user with encounter form write access to…

  • CVE-2026-32238Mar 19, 2026
    risk 0.00cvss epss 0.02

    OpenEMR is a free and open source electronic health records and medical practice management application. Versions prior to 8.0.0.2 contain a Command injection vulnerability in the backup functionality that can be exploited by authenticated attackers. The vulnerability exists due…

  • CVE-2026-25928Mar 19, 2026
    risk 0.00cvss epss 0.01

    OpenEMR is a free and open source electronic health records and medical practice management application. Prior to 8.0.0.2, the DICOM zip/export feature uses a user-supplied destination or path component when creating the zip file, without sanitizing path traversal sequences…

  • CVE-2026-25744Mar 19, 2026
    risk 0.00cvss epss 0.00

    OpenEMR is a free and open source electronic health records and medical practice management application. Prior to 8.0.0.2, the encounter vitals API accepts an `id` in the request body and treats it as an UPDATE. There is no verification that the vital belongs to the current…

  • CVE-2026-25745Mar 18, 2026
    risk 0.00cvss epss 0.00

    OpenEMR is a free and open source electronic health records and medical practice management application. In versions up to and including 8.0.0, the message/note update endpoint (e.g. PUT or POST) updates by message/note ID only and does not verify that the message belongs to the…

  • CVE-2026-32127Mar 11, 2026
    risk 0.00cvss epss 0.00

    OpenEMR is a free and open source electronic health records and medical practice management application. Prior to 8.0.0.1, OpenEMR contains a SQL injection vulnerability in the ajax graphs library that can be exploited by authenticated attackers. The vulnerability exists due to…

  • CVE-2026-32126Mar 11, 2026
    risk 0.00cvss epss 0.00

    OpenEMR is a free and open source electronic health records and medical practice management application. Prior to 8.0.0.1, an inverted boolean condition in ControllerRouter::route() causes the admin/super ACL check to be enforced only for controllers that already have their own…

  • CVE-2026-32125Mar 11, 2026
    risk 0.00cvss epss 0.00

    OpenEMR is a free and open source electronic health records and medical practice management application. Prior to 8.0.0.1, track/item names from the Track Anything feature are stored from user input (POST) and later rendered in Dygraph charts (titles/labels) using innerHTML or…

  • CVE-2026-32124Mar 11, 2026
    risk 0.00cvss epss 0.00

    OpenEMR is a free and open source electronic health records and medical practice management application. Prior to 8.0.0.1, the dynamic code picker AJAX endpoint returns code descriptions (code_text) that are rendered in the front end (e.g. DataTables) without HTML escaping. If…

  • CVE-2026-32123Mar 11, 2026
    risk 0.00cvss epss 0.00

    OpenEMR is a free and open source electronic health records and medical practice management application. Prior to 8.0.0.1, sensitivity checks for group encounters are broken because the code only consults form_encounter for sensitivity, while group encounters store sensitivity…

  • CVE-2026-32122Mar 11, 2026
    risk 0.00cvss epss 0.00

    OpenEMR is a free and open source electronic health records and medical practice management application. Prior to 8.0.0.1, the Claim File Tracker feature exposes an AJAX endpoint that returns billing claim metadata (claim IDs, payer info, transmission logs). The endpoint does…

  • CVE-2026-32121Mar 11, 2026
    risk 0.00cvss epss 0.00

    OpenEMR is a free and open source electronic health records and medical practice management application. Prior to 8.0.0.1, Stored XSS in prescription CSS/HTML print view via patient demographics. That finding involves server-side rendering of patient names via raw PHP echo.…

Page 5 of 11