open-emr
217 tracked vulnerabilities.
CVE-2018-10571
MEDIUM
OpenEMR < 5.0.1 - Reflected Cross-Site Scripting via Multiple Parameters
Apr 30, 2018
CVSS 6.1
EPSS 0.00
CVE-2018-1000020
MEDIUM
OpenEMR 5.0.0 - Cross-Site Scripting in open-flash-chart.swf and _posteddata.php
Feb 09, 2018
CVSS 6.1
EPSS 0.04
CVE-2018-1000019
HIGH
OpenEMR 5.0.0 - Authenticated OS Command Injection via fax_dispatch.php
Feb 09, 2018
CVSS 8.8
EPSS 0.28
CVE-2017-1000241
HIGH
OpenEMR <5.0.1 - Privilege Escalation
Nov 17, 2017
CVSS 8.1
EPSS 0.01
CVE-2017-1000240
MEDIUM
OpenEMR < 5.0.0 - Authenticated Reflected and Stored Cross-Site Scripting
Nov 17, 2017
CVSS 5.4
EPSS 0.00
CVE-2017-16540
HIGH
OpenEMR < 5.0.0 - Unauthenticated Database Copy via setup.php State Parameter
Nov 04, 2017
CVSS 7.5
EPSS 0.00
CVE-2017-12064
HIGH
OpenEMR 5.0.0 and prior - Improper Encoding or Escaping of Output in csv_log_html Function
Aug 01, 2017
CVSS 7.5
EPSS 0.01
CVE-2017-9380
HIGH
OpenEMR < 5.0.0 - Authenticated Arbitrary File Upload and Remote Code Execution
Jun 02, 2017
CVSS 8.8
EPSS 0.01
CVE-2017-6394
MEDIUM
OpenEMR 5.0.0 and 5.0.1-dev - Cross-Site Scripting in object_search.php
Mar 02, 2017
CVSS 6.1
EPSS 0.00
CVE-2015-4453
OpenEMR 2.x-4.x - Unauthenticated Authentication Bypass via ignoreAuth Parameter
Jul 05, 2015
EPSS 0.41
CVE-2014-5462
OpenEMR < 4.1.2 - Authenticated SQL Injection via Multiple Parameters
Dec 08, 2014
EPSS 0.00
CVE-2013-10044
HIGH
OpenEMR < 4.1.1 Patch 14 - SQL Injection
Aug 01, 2025
CVSS 8.8
EPSS 0.05
CVE-2013-4620
OpenEMR 4.1.1 - Cross-Site Scripting via Office Comments Note Parameter
Aug 09, 2013
EPSS 0.01
CVE-2013-4619
OpenEMR 4.1.1 - Authenticated SQL Injection via start/end/form_newid Parameters
Aug 09, 2013
EPSS 0.00
CVE-2012-2115
OpenEMR < 4.1.0 - SQL Injection via User Parameter
Sep 09, 2012
EPSS 0.00
CVE-2011-5161
OpenEMR 4 - Unauthenticated Arbitrary PHP File Upload via Patient Photograph Feature
Sep 09, 2012
EPSS 0.03
CVE-2011-5160
OpenEMR 4 - Cross-Site Scripting via Site Parameter
Sep 09, 2012
EPSS 0.00
Products
Quick Filters