Filtered by vendor Open-emr
Subscribe
Total
217 CVE
| CVE | Vendors | Products | Updated | CVSS v2 | CVSS v3 |
|---|---|---|---|---|---|
| CVE-2026-33934 | 1 Open-emr | 1 Openemr | 2026-03-26 | N/A | 4.3 MEDIUM |
| OpenEMR is a free and open source electronic health records and medical practice management application. Versions prior to 8.0.0.3 have a missing authorization check in `portal/sign/lib/show-signature.php` that allows any authenticated patient portal user to retrieve the drawn signature image of any staff member by supplying an arbitrary `user` value in the POST body. The companion write endpoint (`save-signature.php`) was already hardened against this same issue, but the read endpoint was not updated to match. Version 8.0.0.3 patches the issue. | |||||
| CVE-2026-33932 | 1 Open-emr | 1 Openemr | 2026-03-26 | N/A | 7.6 HIGH |
| OpenEMR is a free and open source electronic health records and medical practice management application. Prior to version 8.0.0.3, a stored cross-site scripting vulnerability in the CCDA document preview allows an attacker who can upload or send a CCDA document to execute arbitrary JavaScript in a clinician's browser session when the document is previewed. The XSL stylesheet sanitizes attributes for all other narrative elements but not for `linkHtml`, allowing `href="javascript:..."` and event handler attributes to pass through unchanged. Version 8.0.0.3 patches the issue. | |||||
| CVE-2026-33918 | 1 Open-emr | 1 Openemr | 2026-03-26 | N/A | 7.6 HIGH |
| OpenEMR is a free and open source electronic health records and medical practice management application. Prior to version 8.0.0.3, the billing file-download endpoint `interface/billing/get_claim_file.php` only verifies that the caller has a valid session and CSRF token, but does not check any ACL permissions. This allows any authenticated OpenEMR user — regardless of whether they have billing privileges — to download and permanently delete electronic claim batch files containing protected health information (PHI). Version 8.0.0.3 patches the issue. | |||||
| CVE-2026-33917 | 1 Open-emr | 1 Openemr | 2026-03-26 | N/A | 8.8 HIGH |
| OpenEMR is a free and open source electronic health records and medical practice management application. Versions prior to 8.0.0.3 contais a SQL injection vulnerability in the ajax_save CAMOS form that can be exploited by authenticated attackers. The vulnerability exists due to insufficient input validation in the ajax_save page in the CAMOS form. Version 8.0.0.3 patches the issue. | |||||
| CVE-2026-33915 | 1 Open-emr | 1 Openemr | 2026-03-26 | N/A | 5.4 MEDIUM |
| OpenEMR is a free and open source electronic health records and medical practice management application. Prior to version 8.0.0.3, five insurance company REST API routes are missing the `RestConfig::request_authorization_check()` call that every other data-modifying route in the standard API uses. This allows any authenticated API user to create and modify insurance company records even if their OpenEMR user account does not have administrative ACL permissions. Version 8.0.0.3 patches the issue. | |||||
| CVE-2026-33913 | 1 Open-emr | 1 Openemr | 2026-03-26 | N/A | 7.7 HIGH |
| OpenEMR is a free and open source electronic health records and medical practice management application. Prior to version 8.0.0.3, an authenticated user with access to the Carecoordination module can upload a crafted CCDA document containing `<xi:include href="file:///etc/passwd" parse="text"/>` to read arbitrary files from the server. Version 8.0.0.3 patches the issue. | |||||
| CVE-2026-33912 | 1 Open-emr | 1 Openemr | 2026-03-26 | N/A | 5.4 MEDIUM |
| OpenEMR is a free and open source electronic health records and medical practice management application. Prior to version 8.0.0.3, an authenticated attacker could craft a malicious form that, when submitted by a victim, executes arbitrary JavaScript in the victim's browser session. Version 8.0.0.3 patches the issue. | |||||
| CVE-2026-33911 | 1 Open-emr | 1 Openemr | 2026-03-26 | N/A | 5.4 MEDIUM |
| OpenEMR is a free and open source electronic health records and medical practice management application. Prior to version 8.0.0.3, the POST parameter `title` is reflected back in a JSON response built with `json_encode()`. Because the response is served with a `text/html` Content-Type, the browser interprets injected HTML/script tags rather than treating the output as JSON. An authenticated attacker can craft a request that executes arbitrary JavaScript in a victim's session. Version 8.0.0.3 contains a fix. | |||||
| CVE-2026-29187 | 1 Open-emr | 1 Openemr | 2026-03-26 | N/A | 8.1 HIGH |
| OpenEMR is a free and open source electronic health records and medical practice management application. Prior to version 8.0.0.3, a Blind SQL Injection vulnerability exists in the Patient Search functionality (/interface/new/new_search_popup.php). The vulnerability allows an authenticated attacker to execute arbitrary SQL commands by manipulating the HTTP parameter keys rather than the values. Version 8.0.0.3 contains a patch. | |||||
| CVE-2026-33910 | 1 Open-emr | 1 Openemr | 2026-03-26 | N/A | 7.2 HIGH |
| OpenEMR is a free and open source electronic health records and medical practice management application. Versions up to and including 8.0.0.2 contain a SQL injection vulnerability in the patient selection feature that can be exploited by authenticated attackers. The vulnerability exists due to insufficient input validation in the patient selection feature. Version 8.0.0.3 contains a patch. | |||||
| CVE-2026-33933 | 1 Open-emr | 1 Openemr | 2026-03-26 | N/A | 6.1 MEDIUM |
| OpenEMR is a free and open source electronic health records and medical practice management application. Starting in version 7.0.2.1 and prior to version 8.0.0.3, a reflected cross-site scripting (XSS) vulnerability in the custom template editor allows an attacker to execute arbitrary JavaScript in an authenticated staff member's browser session by sending them a crafted URL. The attacker does not need an OpenEMR account. Version 8.0.0.3 patches the issue. | |||||
| CVE-2026-34051 | 1 Open-emr | 1 Openemr | 2026-03-26 | N/A | 5.4 MEDIUM |
| OpenEMR is a free and open source electronic health records and medical practice management application. Versions prior to 8.0.0.3 have an improper access control on the Import/Export functionality, allowing unauthorized users to perform import and export actions through direct request manipulation despite UI restrictions. This can lead to unauthorized data access, bulk data extraction, and manipulation of system data. Version 8.0.0.3 contains a fix. | |||||
| CVE-2026-34053 | 1 Open-emr | 1 Openemr | 2026-03-26 | N/A | 7.1 HIGH |
| OpenEMR is a free and open source electronic health records and medical practice management application. Prior to version 8.0.0.3, missing authorization in the AJAX deletion endpoint `interface/forms/procedure_order/handle_deletions.php` allows any authenticated user, regardless of role, to irreversibly delete procedure orders, answers, and specimens belonging to any patient in the system. Version 8.0.0.3 patches the issue. | |||||
| CVE-2026-34055 | 1 Open-emr | 1 Openemr | 2026-03-26 | N/A | 8.1 HIGH |
| OpenEMR is a free and open source electronic health records and medical practice management application. Prior to version 8.0.0.3, the legacy patient notes functions in `library/pnotes.inc.php` perform updates and deletes using `WHERE id = ?` without verifying that the note belongs to a patient the user is authorized to access. Multiple web UI callers pass user-controlled note IDs directly to these functions. This is the same class of vulnerability as CVE-2026-25745 (REST API IDOR), but affects the web UI code paths. Version 8.0.0.3 patches the issue. | |||||
| CVE-2026-34056 | 1 Open-emr | 1 Openemr | 2026-03-26 | N/A | 7.7 HIGH |
| OpenEMR is a free and open source electronic health records and medical practice management application. A Broken Access Control vulnerability in OpenEMR up to and including version 8.0.0.3 allows low-privilege users to view and download Ensora eRx error logs without proper authorization checks. This flaw compromises system confidentiality by exposing sensitive information, potentially leading to unauthorized data disclosure and misuse. As of time of publication, no known patches versions are available. | |||||
| CVE-2026-33346 | 1 Open-emr | 1 Openemr | 2026-03-20 | N/A | 8.7 HIGH |
| OpenEMR is a free and open source electronic health records and medical practice management application. Prior to 8.0.0.2, a stored cross-site scripting (XSS) vulnerability in the patient portal payment flow allows a patient portal user to persist arbitrary JavaScript that executes in the browser of a staff member who reviews the payment submission. The payload is stored via `portal/lib/paylib.php` and rendered without escaping in `portal/portal_payment.php`. Version 8.0.0.2 fixes the issue. | |||||
| CVE-2026-32238 | 1 Open-emr | 1 Openemr | 2026-03-20 | N/A | 9.1 CRITICAL |
| OpenEMR is a free and open source electronic health records and medical practice management application. Versions prior to 8.0.0.2 contain a Command injection vulnerability in the backup functionality that can be exploited by authenticated attackers. The vulnerability exists due to insufficient input validation in the backup functionality. Version 8.0.0.2 fixes the issue. | |||||
| CVE-2026-25745 | 1 Open-emr | 1 Openemr | 2026-03-20 | N/A | 6.5 MEDIUM |
| OpenEMR is a free and open source electronic health records and medical practice management application. In versions up to and including 8.0.0, the message/note update endpoint (e.g. PUT or POST) updates by message/note ID only and does not verify that the message belongs to the current patient (or that the user is allowed to edit that patient’s notes). An authenticated user with notes permission can modify any patient’s messages by supplying another message ID. Commit 92a2ff9eaaa80674b3a934a6556e35e7aded5a41 contains a fix for the issue. | |||||
| CVE-2026-25744 | 1 Open-emr | 1 Openemr | 2026-03-20 | N/A | 6.5 MEDIUM |
| OpenEMR is a free and open source electronic health records and medical practice management application. Prior to 8.0.0.2, the encounter vitals API accepts an `id` in the request body and treats it as an UPDATE. There is no verification that the vital belongs to the current patient or encounter. An authenticated user with encounters/notes permission can overwrite any patient's vitals by supplying another patient's vital `id`, leading to medical record tampering. Version 8.0.0.2 fixes the issue. | |||||
| CVE-2026-25928 | 1 Open-emr | 1 Openemr | 2026-03-20 | N/A | 6.5 MEDIUM |
| OpenEMR is a free and open source electronic health records and medical practice management application. Prior to 8.0.0.2, the DICOM zip/export feature uses a user-supplied destination or path component when creating the zip file, without sanitizing path traversal sequences (e.g. `../`). An attacker with DICOM upload/export permission can write files outside the intended directory, potentially under the web root, leading to arbitrary file write and possibly remote code execution if PHP or other executable files can be written. Version 8.0.0.2 fixes the issue. | |||||