open-emr

217 tracked vulnerabilities.

CVE-2026-25746 HIGH
OpenEMR < 8.0.0 - Authenticated SQL Injection in Prescription Listing
Feb 25, 2026
CVSS 8.8
EPSS 0.00
CVE-2026-25743 MEDIUM
OpenEMR < 8.0.0 - Authenticated Stored Cross-Site Scripting via Form Answers
Feb 25, 2026
CVSS 4.8
EPSS 0.00
CVE-2026-25476 HIGH
OpenEMR < 8.0.0 - Insufficient Session Expiration via skip_timeout_reset Parameter
Feb 25, 2026
CVSS 7.5
EPSS 0.00
CVE-2026-25220 MEDIUM
OpenEMR <8.0.0 - Privilege Escalation
Feb 25, 2026
CVSS 6.5
EPSS 0.00
CVE-2026-25164 HIGH
OpenEMR < 8.0.0 - Missing Authorization for Document and Insurance REST API Routes
Feb 25, 2026
CVSS 8.1
EPSS 0.00
CVE-2026-24908 CRITICAL
OpenEMR < 8.0.0 - Authenticated SQL Injection via Patient REST API _sort Parameter
Feb 25, 2026
CVSS 9.9
EPSS 0.00
CVE-2026-24890 HIGH
OpenEMR < 8.0.0 - Authenticated Authorization Bypass via Patient Portal Signature Endpoint
Feb 25, 2026
CVSS 8.1
EPSS 0.00
CVE-2026-24487 MEDIUM
OpenEMR < 8.0.0 - Unauthenticated Authorization Bypass in FHIR CareTeam Endpoint
Feb 25, 2026
CVSS 6.5
EPSS 0.00
CVE-2026-23627 HIGH
OpenEMR < 8.0.0 - Authenticated SQL Injection via Immunization Module Patient ID Parameter
Feb 25, 2026
CVSS 8.8
EPSS 0.00
CVE-2026-25135 MEDIUM
OpenEMR < 8.0.0 - Unauthorized Information Disclosure via System Export Operation
Feb 25, 2026
CVSS 4.5
EPSS 0.00
CVE-2026-25131 HIGH
OpenEMR <8.0.0 - Privilege Escalation
Feb 25, 2026
CVSS 8.8
EPSS 0.00
CVE-2026-25127 MEDIUM
OpenEMR <8.0.0 - Privilege Escalation
Feb 25, 2026
CVSS 6.5
EPSS 0.00
CVE-2026-25124 MEDIUM
OpenEMR <8.0.0 - Privilege Escalation
Feb 25, 2026
CVSS 6.5
EPSS 0.00
CVE-2026-24896 MEDIUM
OpenEMR <8.0.0 - Broken Access Control
Feb 25, 2026
CVSS 6.5
EPSS 0.00
CVE-2026-24849 CRITICAL
OpenEMR < 7.0.4 - Authenticated Path Traversal via EtherFaxActions.php disposeDocument()
Feb 25, 2026
CVSS 9.9
EPSS 0.00
CVE-2026-24847 MEDIUM
OpenEMR < 8.0.0 - Authenticated Open Redirect via Eye Exam Form Module
Feb 25, 2026
CVSS 6.1
EPSS 0.00
CVE-2026-21443 MEDIUM
OpenEMR < 8.0.0 - Cross-Site Scripting via Unescaped Translation Function Output
Feb 25, 2026
CVSS 6.1
EPSS 0.00
CVE-2025-69231 HIGH
OpenEMR < 8.0.0 - Authenticated Stored Cross-Site Scripting in GAD-7 Anxiety Assessment Form
Feb 25, 2026
CVSS 8.7
EPSS 0.00
CVE-2025-68277 MEDIUM
OpenEMR < 7.0.4 - User Interface Misrepresentation via Secure Messaging Link Handling
Feb 25, 2026
CVSS 5.0
EPSS 0.00
CVE-2025-67752 HIGH
OpenEMR < 7.0.4 - Improper Certificate Validation in HTTP Client Wrapper
Feb 25, 2026
CVSS 8.1
EPSS 0.00
CVE-2025-67491 MEDIUM
OpenEMR 5.0.0.5-7.0.3.4 - Stored Cross-Site Scripting in Billing UB04 Helper
Feb 25, 2026
CVSS 5.4
EPSS 0.00
CVE-2025-67645 HIGH
OpenEMR < 7.0.4 - Authenticated Improper Access Control via Profile Edit Endpoint
Jan 28, 2026
CVSS 8.8
EPSS 0.00
CVE-2025-54373 MEDIUM
OpenEMR < 7.0.4 - Unauthorized Exposure of Sensitive Clinical Data
Jan 28, 2026
CVSS 6.5
EPSS 0.00
CVE-2025-43860 HIGH
OpenEMR < 7.0.3.4 - Authenticated Stored Cross-Site Scripting via Patient Demographics Address Fields
May 23, 2025
CVSS 7.6
EPSS 0.01
CVE-2025-32967 MEDIUM
OpenEMR < 7.0.3.4 - Insufficient Logging of Password Change Events
May 23, 2025
CVSS 5.4
EPSS 0.01
Products
openemr 217 OpenEMR 1
Quick Filters
Critical CVEs With Exploits In CISA KEV