cbcvebase.
CVE-2026-23627
published 2026-02-25

CVE-2026-23627: OpenEMR is a free and open source electronic health records and medical practice management application. Prior to version 8.0.0, an SQL injection vulnerability…

PriorityP263high8.8CVSS 3.1
AVNACLPRLUINSUCHIHAH
EPSS
0.78%
51.3th percentile
OpenEMR is a free and open source electronic health records and medical practice management application. Prior to version 8.0.0, an SQL injection vulnerability in the Immunization module allows any authenticated user to execute arbitrary SQL queries, leading to complete database compromise, PHI exfiltration, credential theft, and potential remote code execution. The vulnerability exists because user-supplied `patient_id` values are directly concatenated into SQL WHERE clauses without parameterization or escaping. Version 8.0.0 patches the issue.

Affected

2 ranges
VendorProductVersion rangeFixed in
open-emropenemr< 8.0.08.0.0
openemropenemr< 8.0.08.0.0

Detection & IOCsextracted from sources · hover to see the quote

  • SQL injection occurs via unsanitized user-supplied `patient_id` values directly concatenated into SQL WHERE clauses in the Immunization module — monitor for anomalous SQL patterns in requests targeting the Immunization module endpoint
  • Any authenticated OpenEMR user (low privilege) can trigger this SQL injection — do not restrict detection scope to admin accounts; alert on unusual SQL query patterns from any authenticated session in OpenEMR versions prior to 8.0.0
  • CVE-2026-23627 is one of two critical-severity CVEs in a batch of 38 OpenEMR vulnerabilities; correlate detections with CVE-2026-24908 activity as both are rated critical and may be chained
  • ·The attack surface requires authentication; unauthenticated exploitation is not described — detection rules should account for authenticated session context rather than pre-auth traffic

CVSS provenance

nvdv3.18.8HIGHCVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
nvdv4.07.4HIGHCVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:P/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
Stop checking back — get the weekly exploitation signal.

Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.