open-emr
217 tracked vulnerabilities.
CVE-2026-33302
HIGH
OpenEMR: zhAclCheck Ignores Explicit ACL Denies
Mar 19, 2026
CVSS 8.1
EPSS 0.00
CVE-2026-33301
HIGH
OpenEMR has arbitrary image file read via PDF generator
Mar 19, 2026
CVSS 8.1
EPSS 0.00
CVE-2026-33299
MEDIUM
OpenEMR has Stored XSS in patient encounter Eye Exam form answers
Mar 19, 2026
CVSS 5.4
EPSS 0.00
CVE-2026-32238
CRITICAL
OpenEMR has Remote Code Execution in backup functionality
Mar 19, 2026
CVSS 9.1
EPSS 0.00
CVE-2026-32119
MEDIUM
OpenEMR has Stored DOM XSS via SearchHighlight text-node reconstruction on Custom Report page
Mar 19, 2026
CVSS 4.4
EPSS 0.00
CVE-2026-25928
MEDIUM
OpenEMR Vulnerable to Path Traversal When Zipping DICOM Folders
Mar 19, 2026
CVSS 6.5
EPSS 0.00
CVE-2026-25744
MEDIUM
OpenEMR: POST /api/.../vital Accepts Attacker-Supplied id and Overwrites Arbitrary Vitals
Mar 19, 2026
CVSS 6.5
EPSS 0.00
CVE-2026-25745
MEDIUM
OpenEMR's Message Update Ignores Patient id
Mar 18, 2026
CVSS 6.5
EPSS 0.00
CVE-2026-32127
HIGH
OpenEMR < 8.0.0.1 - Authenticated SQL Injection via AJAX Graphs Library
Mar 11, 2026
CVSS 8.8
EPSS 0.00
CVE-2026-32126
HIGH
OpenEMR <8.0.0.1 - Privilege Escalation
Mar 11, 2026
CVSS 7.1
EPSS 0.00
CVE-2026-32125
MEDIUM
OpenEMR < 8.0.0.1 - Stored Cross-Site Scripting in Track Anything Dygraph Chart Renderer
Mar 11, 2026
CVSS 5.4
EPSS 0.00
CVE-2026-32124
MEDIUM
OpenEMR < 8.0.0.1 - Stored Cross-Site Scripting via Code Description in Dynamic Code Picker
Mar 11, 2026
CVSS 5.4
EPSS 0.00
CVE-2026-32123
HIGH
OpenEMR < 8.0.0.1 - Incorrect Authorization for Group Encounters
Mar 11, 2026
CVSS 7.7
EPSS 0.00
CVE-2026-32122
MEDIUM
OpenEMR < 8.0.0.1 - Authenticated Missing Authorization in Claim File Tracker Endpoint
Mar 11, 2026
CVSS 4.3
EPSS 0.00
CVE-2026-32121
HIGH
OpenEMR < 8.0.0.1 - Stored Cross-Site Scripting via Patient Demographics in Prescription Print View
Mar 11, 2026
CVSS 7.7
EPSS 0.00
CVE-2026-32118
MEDIUM
OpenEMR < 8.0.0.1 - Authenticated Stored Cross-Site Scripting in Graphical Pain Map Form
Mar 11, 2026
CVSS 5.4
EPSS 0.00
CVE-2026-25146
CRITICAL
OpenEMR 5.0.2-7.9.9 - Info Disclosure
Mar 03, 2026
CVSS 9.6
EPSS 0.00
CVE-2026-24898
CRITICAL
OpenEMR < 8.0.0 - Unauthenticated Token Disclosure via MedEx Callback Endpoint
Mar 03, 2026
CVSS 10.0
EPSS 0.00
CVE-2026-24848
CRITICAL
OpenEMR <=7.0.4 - Authenticated RCE
Mar 03, 2026
CVSS 9.9
EPSS 0.00
CVE-2026-25147
HIGH
OpenEMR < 8.0.0 - Horizontal Privilege Escalation via Patient ID Override
Feb 27, 2026
CVSS 7.1
EPSS 0.00
CVE-2026-24488
MEDIUM
OpenEMR <=8.0.0 - Arbitrary File Exfiltration
Feb 27, 2026
CVSS 6.5
EPSS 0.00
CVE-2026-27943
MEDIUM
OpenEMR <=8.0.0 - Privilege Escalation
Feb 26, 2026
CVSS 6.5
EPSS 0.00
CVE-2026-25930
MEDIUM
OpenEMR < 8.0.0 - Authenticated Authorization Bypass via Layout-Based Form Printable View
Feb 25, 2026
CVSS 6.5
EPSS 0.00
CVE-2026-25929
MEDIUM
OpenEMR < 8.0.0 - Authenticated Patient Photo Access Control Bypass via Document Controller
Feb 25, 2026
CVSS 6.5
EPSS 0.00
CVE-2026-25927
HIGH
OpenEMR < 8.0.0 - Authenticated Authorization Bypass via DICOM Viewer State API
Feb 25, 2026
CVSS 7.1
EPSS 0.00
Products
Quick Filters