Goal Reached Thanks to every supporter — we hit 100%!

Goal: 1000 CNY · Raised: 1000 CNY

100.0%
Buy Us a Coffee

OpenEMR — Vulnerabilities & Security Advisories 99

All 99 CVE vulnerabilities found in OpenEMR, with AI-generated Chinese analysis, references, and POCs.

Vendor: n/a

CVE IDTitleCVSSSeverityPublished
CVE-2026-34056 OpenEMR has a Privilege Escalation that Allows a Low-Level User to View Admin-Only Data CWE-285 7.7 High2026-03-25
CVE-2026-34055 OpenEMR has IDOR in Patient Notes Web UI allows unauthorized note access/modification CWE-639 8.1 High2026-03-25
CVE-2026-34053 OpenEMR Missing Authorization in Procedure Order AJAX Deletion Handler CWE-862 7.1 High2026-03-25
CVE-2026-34051 OpenEMR has Improper ACL On Import/Export Popup CWE-285 5.4 Medium2026-03-25
CVE-2026-33934 OpenEMR's Missing Authorization in show-signature.php Allows Portal Patients to Read Staff Signatures CWE-639 4.3 Medium2026-03-25
CVE-2026-33933 Reflected XSS via Unescaped contextName Parameter in Custom Template Editor CWE-79 6.1 Medium2026-03-25
CVE-2026-33932 OpenEMR has Stored XSS in CCDA Preview via Unsanitized linkHtml Attributes CWE-79 7.6 High2026-03-25
CVE-2026-33931 OpenEMR has IDOR in Portal Payment Page that Allows Cross-Patient Record Access CWE-639 6.5 Medium2026-03-25
CVE-2026-33918 OpenEMR Missing Authorization on Claim File Download Endpoint CWE-862 7.6 High2026-03-25
CVE-2026-33917 OpenEMR has SQL Injection in CAMOS Form CWE-89 8.8 High2026-03-25
CVE-2026-33915 OpenEMR Missing ACL Checks on Insurance Company API Routes CWE-862 5.4 Medium2026-03-25
CVE-2026-33914 OpenEMR has SQL Injection in PostCalendar Category Delete CWE-89 7.2 High2026-03-25
CVE-2026-33913 OpenEMR: XInclude Injection in CCDA Import Allows Reading Arbitrary Server Files CWE-611 7.7 High2026-03-25
CVE-2026-33912 OpenEMR has reflected XSS in ajax_download.php via reportID parameter CWE-79 5.4 Medium2026-03-25
CVE-2026-33911 OpenEMR vulnerable to reflected XSS in graphs.php via title parameter CWE-79 5.4 Medium2026-03-25
CVE-2026-33910 OpenEMR has a SQL Injection Vulnerability in patient selection CWE-89 7.2 High2026-03-25
CVE-2026-33909 OpenEMR Vulnerable to SQL Injection via Unsanitized Variables in MedEx Recall/Reminder Processing CWE-89 5.9 Medium2026-03-25
CVE-2026-33348 OpenEMR has Stored XSS in patient encounter Eye Exam form $CHRONIC2 and $CHRONIC3 CWE-79 8.7 High2026-03-25
CVE-2026-32120 OpenEMR has IDOR in Fee Sheet Product Save CWE-639 6.5 Medium2026-03-25
CVE-2026-29187 OpenEMR Vulnerable to Authenticated Blind Boolean-Based SQL Injection in new_search_popup.php CWE-89 8.1 High2026-03-25
CVE-2026-33346 OpenEMR has stored XSS in portal_payment.php via Unescaped table_args CWE-79 8.7 High2026-03-19
CVE-2026-33305 OpenEMR has Authorization Bypass in FaxSMS AppDispatch Constructor CWE-696 5.4 Medium2026-03-19
CVE-2026-33304 OpenEMR has Authorization Bypass in Dated Reminders Log CWE-639 6.5 Medium2026-03-19
CVE-2026-33303 OpenEMR Vulnerable to Stored XSS via Unescaped portal_login_username in Credential Print View CWE-79 5.4 Medium2026-03-19
CVE-2026-33302 OpenEMR: zhAclCheck Ignores Explicit ACL Denies CWE-863 7.6 -2026-03-19
CVE-2026-33321 OpenEMR has Out-of-Band Server-Side Request Forgery (OOB SSRF) CWE-918 7.6 -2026-03-19
CVE-2026-33301 OpenEMR has arbitrary image file read via PDF generator CWE-116 3.5 -2026-03-19
CVE-2026-33299 OpenEMR has Stored XSS in patient encounter Eye Exam form answers CWE-79 5.4 -2026-03-19
CVE-2026-32119 OpenEMR has Stored DOM XSS via SearchHighlight text-node reconstruction on Custom Report page CWE-79 4.4 Medium2026-03-19
CVE-2026-32238 OpenEMR has Remote Code Execution in backup functionality CWE-78 9.1 Critical2026-03-19

All 99 known CVE vulnerabilities affecting OpenEMR with full Chinese analysis, references, and POCs where available.