Goal Reached Thanks to every supporter — we hit 100%!

Goal: 1000 CNY · Raised: 1000 CNY

100.0%
Buy Us a Coffee

OpenEMR — Vulnerabilities & Security Advisories 120

Browse all 120 CVE security advisories affecting OpenEMR. AI-powered Chinese analysis, POCs, and references for each vulnerability.

Top products by OpenEMR:OpenEMRopenemr/openemr
CVE IDTitleCVSSSeverityPublished
CVE-2026-25928 OpenEMR Vulnerable to Path Traversal When Zipping DICOM Folders — openemrCWE-22 6.5 Medium2026-03-19
CVE-2026-25744 OpenEMR: POST /api/.../vital Accepts Attacker-Supplied id and Overwrites Arbitrary Vitals — openemrCWE-639 6.5 Medium2026-03-19
CVE-2026-25745 OpenEMR's Message Update Ignores Patient id — openemrCWE-639 6.5 Medium2026-03-18
CVE-2026-32127 SQL Injection Vulnerability in ajax graphs library (OpenEMR) — openemrCWE-89 8.8 High2026-03-11
CVE-2026-32126 OpenEMR: Inverted ACL Condition in CDR ControllerRouter Allows Any Authenticated User to Modify/Delete Clinical Rules and Plans — openemrCWE-862 7.1 High2026-03-11
CVE-2026-32125 OpenEMR: Stored XSS in Track Anything Graphs via Unescaped Dygraph Titles/Labels — openemrCWE-79 5.4 Medium2026-03-11
CVE-2026-32124 OpenEMR: Dynamic Code Picker Renders Unescaped Descriptions (Stored XSS) — openemrCWE-79 5.4 Medium2026-03-11
CVE-2026-32123 OpenEMR: Therapy Group Sensitivity ACL No Longer Enforced — openemrCWE-863 7.7 High2026-03-11
CVE-2026-32122 OpenEMR: Missing Authorization on Claim File Tracker UI and AJAX Endpoint (V2) — openemrCWE-862 4.3 Medium2026-03-11
CVE-2026-32121 OpenEMR: Stored DOM XSS via `.html()` in Portal Signer Modal — openemrCWE-79 7.7 High2026-03-11
CVE-2026-32118 OpenEMR has Stored XSS in Graphical Pain Map legend via unescaped annotation text — openemrCWE-79 5.4 Medium2026-03-11
CVE-2026-24898 OpenEMR has an Unauthenticated MedEx Token Disclosure — openemrCWE-287 10.0 Critical2026-03-03
CVE-2026-25146 OpenEMR's payments gateway_api_key secret rendered into client JS code — openemrCWE-200 9.6 Critical2026-03-03
CVE-2026-24848 OpenEMR Arbitrary File Write leading to Remote Code Execution — openemrCWE-22 8.8AIHighAI2026-03-03
CVE-2026-25147 OpenEMR's Portal Payment Endpoint Trusts User-Controlled pid — openemrCWE-639 7.1 High2026-02-27
CVE-2026-24488 OpenEMR Vulnerable to Arbitrary File Exfiltration via Fax Endpoint — openemrCWE-22 6.5 Medium2026-02-27
CVE-2026-27943 OpenEMR's Eye Exam View Trusts form_id Without Verifying Patient/Encounter Ownership — openemrCWE-639 6.5 Medium2026-02-26
CVE-2026-25930 OpenEMR's Printable LBF Endpoint Leaks Arbitrary Patient Forms — openemrCWE-639 6.5 Medium2026-02-25
CVE-2026-25929 OpenEMR Patient Picture Context Allows Arbitrary Patient Photo Retrieval — openemrCWE-639 6.5 Medium2026-02-25
CVE-2026-25927 OpenEMR Missing Authorization Checks in DICOM Viewer State API — openemrCWE-639 7.1 High2026-02-25
CVE-2026-25746 OpenEMR has SQL Injection Vulnerability — openemrCWE-89 8.8 High2026-02-25
CVE-2026-25743 OpenEMR has Stored XSS in Questionnaire answers — openemrCWE-79 5.4AIMediumAI2026-02-25
CVE-2026-25476 OpenEMR has Session Timeout Bypass via skip_timeout_reset — openemrCWE-613 7.5 High2026-02-25
CVE-2026-25220 OpenEMR Messages "Show All" Not Restricted to Admins — openemrCWE-639 4.3AIMediumAI2026-02-25
CVE-2026-25164 OpenEMR's Document and Insurance REST Endpoints Skip ACL — openemrCWE-862 8.1 High2026-02-25
CVE-2026-24908 OpenEMR has SQL Injection in Patient API Sort Parameter — openemrCWE-89 10.0 Critical2026-02-25
CVE-2026-24890 OpenEMR Portal Users Can Forge Provider Signatures — openemrCWE-285 8.1 High2026-02-25
CVE-2026-24487 OpenEMR has FHIR Patient Compartment Bypass in CareTeam Resource — openemrCWE-200 7.5AIHighAI2026-02-25
CVE-2026-23627 OpenEMR has SQL Injection in Immunization Search/Report — openemrCWE-89 8.8AIHighAI2026-02-25
CVE-2026-25135 OpenEMR's location resource for Group.$export operation returns entire patient/user population contact information — openemrCWE-200 4.5 Medium2026-02-25

This page lists every published CVE security advisory associated with OpenEMR. Each entry links to a detailed page with CVSS scoring, CWE classification, affected products and references. AI-generated Chinese analysis is provided for fast triage.