CVE-2026-25746

HIGH

OpenEMR <8.0.0 - SQL Injection

Title source: llm

Description

OpenEMR is a free and open source electronic health records and medical practice management application. Versions prior to 8.0.0 contain a SQL injection vulnerability in prescription that can be exploited by authenticated attackers. The vulnerability exists due to insufficient input validation in the prescription listing functionality. Version 8.0.0 fixes the vulnerability.

Exploits (1)

github WORKING POC 10 stars

by XiaomingX · pythonpoc

https://github.com/XiaomingX/data-cve-poc-py-v1/tree/main/2026/CVE-2026-25746

View Code ZIP pw:eip

References (7)

[Exploit, Third Party Advisory] https://github.com/ChrisSub08/CVE-2026-25746_SqlInjectionVulnerabilityOpenEMR7.0.4

View Exploit ZIP pw:eip

[Third Party Advisory] https://github.com/openemr/openemr/blob/2b46e594b9dd665fb7f16c913ca07f5c6d54412b/library/classes/Controller.class.php#L77

[Third Party Advisory] https://github.com/openemr/openemr/blob/9fa8db9f12d0b70985195b11b90f2dc564bd3b24/controller.php#L6

[Third Party Advisory] https://github.com/openemr/openemr/blob/9fa8db9f12d0b70985195b11b90f2dc564bd3b24/controllers/C_Prescription.class.php#L180

[Third Party Advisory] https://github.com/openemr/openemr/blob/9fa8db9f12d0b70985195b11b90f2dc564bd3b24/library/classes/Prescription.class.php#L1148

[Patch] https://github.com/openemr/openemr/commit/e230d3ef46425ffc96a37dc6369428aa37c88554

View Patch ZIP pw:eip

[Vendor Advisory] https://github.com/openemr/openemr/security/advisories/GHSA-78r7-g65p-gpw3

Scores

CVSS v3 8.8

EPSS 0.0000

EPSS Percentile 0.1%

Attack Vector NETWORK

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H

Details

CWE

CWE-89

Status published

Products (1)

open-emr/openemr < 8.0.0

Published Feb 25, 2026

Tracked Since Feb 26, 2026