Filtered by vendor Open-emr
Subscribe
Total
217 CVE
| CVE | Vendors | Products | Updated | CVSS v2 | CVSS v3 |
|---|---|---|---|---|---|
| CVE-2026-32119 | 1 Open-emr | 1 Openemr | 2026-03-20 | N/A | 4.4 MEDIUM |
| OpenEMR is a free and open source electronic health records and medical practice management application. Prior to 8.0.0.2, DOM-based stored XSS in the jQuery SearchHighlight plugin (`library/js/SearchHighlight.js`) allows an authenticated user with encounter form write access to inject arbitrary JavaScript that executes in another clinician's browser session when they use the search/find feature on the Custom Report page. The plugin reverses server-side HTML entity encoding by reading decoded text from DOM text nodes, concatenating it into a raw HTML string, and passing it to jQuery's `$()` constructor for HTML parsing. Version 8.0.0.2 fixes the issue. | |||||
| CVE-2026-33299 | 1 Open-emr | 1 Openemr | 2026-03-20 | N/A | 5.4 MEDIUM |
| OpenEMR is a free and open source electronic health records and medical practice management application. Prior to 8.0.0.2, users with the `Notes - my encounters` role can fill **Eye Exam** forms in patient encounters. The answers to the form are displayed on the encounter page and in the visit history for the users with the same role. There exists a stored cross-site scripting (XSS) vulnerability in the function to display the form answers, allowing any authenticated attacker with the specific role to insert arbitrary JavaScript into the system by entering malicious payloads to the form answers. The JavaScript code is later executed by any user with the form role when viewing the form answers in the patient encounter pages or visit history. Version 8.0.0.2 fixes the issue. | |||||
| CVE-2026-33301 | 1 Open-emr | 1 Openemr | 2026-03-20 | N/A | 8.1 HIGH |
| OpenEMR is a free and open source electronic health records and medical practice management application. Prior to 8.0.0.2, users with the `Notes - my encounters` role can fill Eye Exam forms in patient encounters. The answers to the form can be printed out in PDF form. An arbitrary file read vulnerability was identified in the PDF creation function where the form answers are parsed as unescaped HTML, allowing an attacker to include arbitrary image files from the server in the generated PDF. Version 8.0.0.2 fixes the issue. | |||||
| CVE-2026-33302 | 1 Open-emr | 1 Openemr | 2026-03-20 | N/A | 8.1 HIGH |
| OpenEMR is a free and open source electronic health records and medical practice management application. Prior to 8.0.0.2, the module ACL function `AclMain::zhAclCheck()` only checks for the presence of any "allow" (user or group). It never checks for explicit "deny" (allowed=0). As a result, administrators cannot revoke access by setting a user or group to "deny"; if the user is in a group that has "allow," access is granted regardless of explicit denies. Version 8.0.0.2 fixes the issue. | |||||
| CVE-2026-33303 | 1 Open-emr | 1 Openemr | 2026-03-20 | N/A | 5.4 MEDIUM |
| OpenEMR is a free and open source electronic health records and medical practice management application. Versions prior to 8.0.0.2 are vulnerable to stored cross-site scripting (XSS) via unescaped `portal_login_username` in the portal credential print view. A patient portal user can set their login username to an XSS payload, which then executes in a clinic staff member's browser when they open the "Create Portal Login" page for that patient. This crosses from the patient session context into the staff/admin session context. Version 8.0.0.2 fixes the issue. | |||||
| CVE-2026-33304 | 1 Open-emr | 1 Openemr | 2026-03-20 | N/A | 6.5 MEDIUM |
| OpenEMR is a free and open source electronic health records and medical practice management application. Prior to 8.0.0.2, an authorization bypass in the dated reminders log allows any authenticated non-admin user to view reminder messages belonging to other users, including associated patient names and free-text message content, by crafting a GET request with arbitrary user IDs in the `sentTo[]` or `sentBy[]` parameters. Version 8.0.0.2 fixes the issue. | |||||
| CVE-2026-33305 | 1 Open-emr | 1 Openemr | 2026-03-20 | N/A | 5.4 MEDIUM |
| OpenEMR is a free and open source electronic health records and medical practice management application. Prior to 8.0.0.2, an authorization bypass in the optional FaxSMS module (`oe-module-faxsms`) allows any authenticated OpenEMR user to invoke controller methods — including `getNotificationLog()`, which returns patient appointment data (PHI) — regardless of whether they hold the required ACL permissions. The `AppDispatch` constructor dispatches user-controlled actions and exits the process before any calling code can enforce ACL checks. Version 8.0.0.2 fixes the issue. | |||||
| CVE-2026-33321 | 1 Open-emr | 1 Openemr | 2026-03-20 | N/A | 7.6 HIGH |
| OpenEMR is a free and open source electronic health records and medical practice management application. Prior to 8.0.0.2, users with the `Notes - my encounters` role can fill Eye Exam forms in patient encounters. The answers to the form can be printed out in PDF form. An Out-of-Band Server-Side Request Forgery (OOB SSRF) vulnerability was identified in the PDF creation function where the form answers are parsed as unescaped HTML, allowing an attacker to forge requests from the server made to external or internal resources. Version 8.0.0.2 fixes the issue. | |||||
| CVE-2026-32118 | 1 Open-emr | 1 Openemr | 2026-03-13 | N/A | 5.4 MEDIUM |
| OpenEMR is a free and open source electronic health records and medical practice management application. Prior to 8.0.0.1, stored cross-site scripting (XSS) in the Graphical Pain Map ("clickmap") form allows any authenticated clinician to inject arbitrary JavaScript that executes in the browser of every subsequent user who views the affected encounter form. Because session cookies are not marked HttpOnly, this enables full session hijacking of other users, including administrators. This vulnerability is fixed in 8.0.0.1. | |||||
| CVE-2026-32121 | 1 Open-emr | 1 Openemr | 2026-03-13 | N/A | 7.7 HIGH |
| OpenEMR is a free and open source electronic health records and medical practice management application. Prior to 8.0.0.1, Stored XSS in prescription CSS/HTML print view via patient demographics. That finding involves server-side rendering of patient names via raw PHP echo. This finding involves client-side DOM-based rendering via jQuery .html() in a completely different component (portal/sign/assets/signer_api.js). The two share the same root cause (unsanitized patient names in patient_data), but they have different sinks, different affected components, different trigger actions, and require independent fixes. This vulnerability is fixed in 8.0.0.1. | |||||
| CVE-2026-32122 | 1 Open-emr | 1 Openemr | 2026-03-13 | N/A | 4.3 MEDIUM |
| OpenEMR is a free and open source electronic health records and medical practice management application. Prior to 8.0.0.1, the Claim File Tracker feature exposes an AJAX endpoint that returns billing claim metadata (claim IDs, payer info, transmission logs). The endpoint does not enforce the same ACL as the main billing/claims workflow, so authenticated users without appropriate billing permissions can access this data. This vulnerability is fixed in 8.0.0.1. | |||||
| CVE-2026-32123 | 1 Open-emr | 1 Openemr | 2026-03-13 | N/A | 7.7 HIGH |
| OpenEMR is a free and open source electronic health records and medical practice management application. Prior to 8.0.0.1, sensitivity checks for group encounters are broken because the code only consults form_encounter for sensitivity, while group encounters store sensitivity in form_groups_encounter. As a result, sensitivity is never correctly applied to group encounters, and users who should be restricted from viewing sensitive (e.g. mental health) encounters can view them. This vulnerability is fixed in 8.0.0.1. | |||||
| CVE-2026-32124 | 1 Open-emr | 1 Openemr | 2026-03-13 | N/A | 5.4 MEDIUM |
| OpenEMR is a free and open source electronic health records and medical practice management application. Prior to 8.0.0.1, the dynamic code picker AJAX endpoint returns code descriptions (code_text) that are rendered in the front end (e.g. DataTables) without HTML escaping. If an administrator (or user with code management rights) creates or edits a code with a malicious description containing script, that script runs in the browser of every user who uses the picker. This vulnerability is fixed in 8.0.0.1. | |||||
| CVE-2026-32125 | 1 Open-emr | 1 Openemr | 2026-03-13 | N/A | 5.4 MEDIUM |
| OpenEMR is a free and open source electronic health records and medical practice management application. Prior to 8.0.0.1, track/item names from the Track Anything feature are stored from user input (POST) and later rendered in Dygraph charts (titles/labels) using innerHTML or equivalent without escaping. A user who can create or edit Track Anything items can inject script that runs when any user views the corresponding graph. This vulnerability is fixed in 8.0.0.1. | |||||
| CVE-2026-32126 | 1 Open-emr | 1 Openemr | 2026-03-13 | N/A | 7.1 HIGH |
| OpenEMR is a free and open source electronic health records and medical practice management application. Prior to 8.0.0.1, an inverted boolean condition in ControllerRouter::route() causes the admin/super ACL check to be enforced only for controllers that already have their own internal authorization (review, log), while leaving all other CDR controllers — alerts, ajax, edit, add, detail, browse — accessible to any authenticated user. This allows any logged-in user to suppress clinical decision support alerts system-wide, delete or modify clinical plans, and edit rule configurations — all operations intended to require administrator privileges. This vulnerability is fixed in 8.0.0.1. | |||||
| CVE-2026-32127 | 1 Open-emr | 1 Openemr | 2026-03-13 | N/A | 8.8 HIGH |
| OpenEMR is a free and open source electronic health records and medical practice management application. Prior to 8.0.0.1, OpenEMR contains a SQL injection vulnerability in the ajax graphs library that can be exploited by authenticated attackers. The vulnerability exists due to insufficient input validation in the ajax graphs library. This vulnerability is fixed in 8.0.0.1. | |||||
| CVE-2026-24848 | 1 Open-emr | 1 Openemr | 2026-03-04 | N/A | 9.9 CRITICAL |
| OpenEMR is a free and open source electronic health records and medical practice management application. In 7.0.4 and earlier, the disposeDocument() method in EtherFaxActions.php allows authenticated users to write arbitrary content to arbitrary locations on the server filesystem. This vulnerability can be exploited to achieve Remote Code Execution (RCE) by uploading malicious PHP web shells. | |||||
| CVE-2026-24898 | 1 Open-emr | 1 Openemr | 2026-03-04 | N/A | 10.0 CRITICAL |
| OpenEMR is a free and open source electronic health records and medical practice management application. Prior to 8.0.0, an unauthenticated token disclosure vulnerability in the MedEx callback endpoint allows any unauthenticated visitor to obtain the practice's MedEx API tokens, leading to complete third-party service compromise, PHI exfiltration, unauthorized actions on the MedEx platform, and HIPAA violations. The vulnerability exists because the endpoint bypasses authentication ($ignoreAuth = true) and performs a MedEx login whenever $_POST['callback_key'] is provided, returning the full JSON response including sensitive API tokens. This vulnerability is fixed in 8.0.0. | |||||
| CVE-2026-25146 | 1 Open-emr | 1 Openemr | 2026-03-04 | N/A | 9.6 CRITICAL |
| OpenEMR is a free and open source electronic health records and medical practice management application. From 5.0.2 to before 8.0.0, there are (at least) two paths where the gateway_api_key secret value is rendered to the client in plaintext. These secret keys being leaked could result in arbitrary money movement or broad account takeover of payment gateway APIs. This vulnerability is fixed in 8.0.0. | |||||
| CVE-2026-25147 | 1 Open-emr | 1 Openemr | 2026-03-03 | N/A | 7.1 HIGH |
| OpenEMR is a free and open source electronic health records and medical practice management application. Prior to version 8.0.0, in `portal/portal_payment.php`, the patient id used for the page is taken from the request (`$pid = $_REQUEST['pid'] ?? $pid` and `$pid = ($_REQUEST['hidden_patient_code'] ?? null) > 0 ? $_REQUEST['hidden_patient_code'] : $pid`) instead of being fixed to the authenticated portal user. The portal session already has a valid `$pid` for the logged-in patient. Overwriting it with user-supplied values and using it without authorization allows a portal user to view and interact with another patient's demographics, invoices, and payment history—horizontal privilege escalation and IDOR. Version 8.0.0 contains a fix for the issue. | |||||