cbcvebase.
CVE-2026-25146
published 2026-03-03

CVE-2026-25146: OpenEMR is a free and open source electronic health records and medical practice management application. From 5.0.2 to before 8.0.0, there are (at least) two…

PriorityP348high8.1CVSS 3.1
AVNACLPRLUINSUCHIHAN
EPSS
0.44%
35.4th percentile
OpenEMR is a free and open source electronic health records and medical practice management application. From 5.0.2 to before 8.0.0, there are (at least) two paths where the gateway_api_key secret value is rendered to the client in plaintext. These secret keys being leaked could result in arbitrary money movement or broad account takeover of payment gateway APIs. This vulnerability is fixed in 8.0.0.

Affected

2 ranges
VendorProductVersion rangeFixed in
open-emropenemr>= 5.0.2 < 8.0.08.0.0
openemropenemr
Stop checking back — get the weekly exploitation signal.

Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.