Goal Reached Thanks to every supporter — we hit 100%!

Goal: 1000 CNY · Raised: 1325 CNY

100%
Buy Us a Coffee

OpenEMR — Vulnerabilities & Security Advisories 101

All 101 CVE vulnerabilities found in OpenEMR, with AI-generated Chinese analysis, references, and POCs.

This page aggregates vulnerability data for OpenEMR, an open-source electronic health records system, focusing on Common Weakness Enumeration (CWE) classifications and associated security risks. The collection encompasses a wide spectrum of defects ranging from injection flaws and cross-site scripting to authentication bypasses and insecure direct object references, covering historical reports and recent advisories from the product’s inception to the present. By reviewing this comprehensive dataset, users can track a vendor’s response patterns through official security advisories, gain a deeper understanding of specific weakness classes within the context of medical software architecture, and examine the complete vulnerability history to identify recurring issues or remediation trends over time. The information is organized to facilitate efficient analysis for security researchers, system administrators, and compliance officers who require accurate, structured insights into the security posture of OpenEMR deployments. Data sources include publicly disclosed Common Vulnerabilities and Exposures entries, vendor notifications, and third-party security research findings, all synthesized to provide a clear view of the threat landscape. This resource serves as a central reference point for evaluating the resilience of OpenEMR against known attack vectors and for informing risk management decisions regarding system updates and patch management strategies. The goal is to provide transparent, accessible information that supports proactive security maintenance without unnecessary complexity or ambiguity.

Vendor: n/a

CVE IDTitleCVSSSeverityPublished
CVE-2026-46518 OpenEMR: Stored XSS in prescription CSS/HTML print view via patient demographics CWE-79 7.7 High2026-06-09
CVE-2023-54347 OpenEMR 7.0.1 Authentication Brute Force Mitigation Bypass CWE-307 7.5 High2026-05-05
CVE-2026-34056 OpenEMR has a Privilege Escalation that Allows a Low-Level User to View Admin-Only Data CWE-285 7.7 High2026-03-25
CVE-2026-34055 OpenEMR has IDOR in Patient Notes Web UI allows unauthorized note access/modification CWE-639 8.1 High2026-03-25
CVE-2026-34053 OpenEMR Missing Authorization in Procedure Order AJAX Deletion Handler CWE-862 7.1 High2026-03-25
CVE-2026-34051 OpenEMR has Improper ACL On Import/Export Popup CWE-285 5.4 Medium2026-03-25
CVE-2026-33934 OpenEMR's Missing Authorization in show-signature.php Allows Portal Patients to Read Staff Signatures CWE-639 4.3 Medium2026-03-25
CVE-2026-33933 Reflected XSS via Unescaped contextName Parameter in Custom Template Editor CWE-79 6.1 Medium2026-03-25
CVE-2026-33932 OpenEMR has Stored XSS in CCDA Preview via Unsanitized linkHtml Attributes CWE-79 7.6 High2026-03-25
CVE-2026-33931 OpenEMR has IDOR in Portal Payment Page that Allows Cross-Patient Record Access CWE-639 6.5 Medium2026-03-25
CVE-2026-33918 OpenEMR Missing Authorization on Claim File Download Endpoint CWE-862 7.6 High2026-03-25
CVE-2026-33917 OpenEMR has SQL Injection in CAMOS Form CWE-89 8.8 High2026-03-25
CVE-2026-33915 OpenEMR Missing ACL Checks on Insurance Company API Routes CWE-862 5.4 Medium2026-03-25
CVE-2026-33914 OpenEMR has SQL Injection in PostCalendar Category Delete CWE-89 7.2 High2026-03-25
CVE-2026-33913 OpenEMR: XInclude Injection in CCDA Import Allows Reading Arbitrary Server Files CWE-611 7.7 High2026-03-25
CVE-2026-33912 OpenEMR has reflected XSS in ajax_download.php via reportID parameter CWE-79 5.4 Medium2026-03-25
CVE-2026-33911 OpenEMR vulnerable to reflected XSS in graphs.php via title parameter CWE-79 5.4 Medium2026-03-25
CVE-2026-33910 OpenEMR has a SQL Injection Vulnerability in patient selection CWE-89 7.2 High2026-03-25
CVE-2026-33909 OpenEMR Vulnerable to SQL Injection via Unsanitized Variables in MedEx Recall/Reminder Processing CWE-89 5.9 Medium2026-03-25
CVE-2026-33348 OpenEMR has Stored XSS in patient encounter Eye Exam form $CHRONIC2 and $CHRONIC3 CWE-79 8.7 High2026-03-25
CVE-2026-32120 OpenEMR has IDOR in Fee Sheet Product Save CWE-639 6.5 Medium2026-03-25
CVE-2026-29187 OpenEMR Vulnerable to Authenticated Blind Boolean-Based SQL Injection in new_search_popup.php CWE-89 8.1 High2026-03-25
CVE-2026-33346 OpenEMR has stored XSS in portal_payment.php via Unescaped table_args CWE-79 8.7 High2026-03-19
CVE-2026-33305 OpenEMR has Authorization Bypass in FaxSMS AppDispatch Constructor CWE-696 5.4 Medium2026-03-19
CVE-2026-33304 OpenEMR has Authorization Bypass in Dated Reminders Log CWE-639 6.5 Medium2026-03-19
CVE-2026-33303 OpenEMR Vulnerable to Stored XSS via Unescaped portal_login_username in Credential Print View CWE-79 5.4 Medium2026-03-19
CVE-2026-33302 OpenEMR: zhAclCheck Ignores Explicit ACL Denies CWE-863 7.6 -2026-03-19
CVE-2026-33321 OpenEMR has Out-of-Band Server-Side Request Forgery (OOB SSRF) CWE-918 7.6 -2026-03-19
CVE-2026-33301 OpenEMR has arbitrary image file read via PDF generator CWE-116 3.5 -2026-03-19
CVE-2026-33299 OpenEMR has Stored XSS in patient encounter Eye Exam form answers CWE-79 5.4 -2026-03-19

All 101 known CVE vulnerabilities affecting OpenEMR with full Chinese analysis, references, and POCs where available.