CVE-2026-34053
published 2026-03-26CVE-2026-34053: OpenEMR is a free and open source electronic health records and medical practice management application. Prior to version 8.0.0.3, missing authorization in the…
PriorityP348high8.1CVSS 3.1
AVNACLPRLUINSUCNIHAH
EPSS
0.41%
33.2th percentile
OpenEMR is a free and open source electronic health records and medical practice management application. Prior to version 8.0.0.3, missing authorization in the AJAX deletion endpoint `interface/forms/procedure_order/handle_deletions.php` allows any authenticated user, regardless of role, to irreversibly delete procedure orders, answers, and specimens belonging to any patient in the system. Version 8.0.0.3 patches the issue.
Affected
2 ranges
| Vendor | Product | Version range | Fixed in |
|---|---|---|---|
| open-emr | openemr | < 8.0.0.3 | 8.0.0.3 |
| openemr | openemr | < 8.0.0.3 | 8.0.0.3 |
Stop checking back — get the weekly exploitation signal.
Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.
No advisories linked to this vulnerability.
No detection rules found.
No public exploits indexed.
Wiz
CVE-2026-32126 Impact, Exploitability, and Mitigation Steps | Wiz
blogs_wiz·CVSS 7.1
CVE-2026-32126 [HIGH] CVE-2026-32126 Impact, Exploitability, and Mitigation Steps | Wiz
## CVE-2026-32126 :
OpenEMR vulnerability analysis and mitigation
OpenEMR is a free and open source electronic health records and medical practice management application. Prior to 8.0.0.1, an inverted boolean condition in ControllerRouter::route() causes the admin/super ACL check to be enforced only for controllers that already have their own internal authorization (review, log), while leaving all other CDR controllers — alerts, ajax, edit, add, detail, browse — accessible to any authenticated user. This allows any logged-in user to suppress clinical decision support alerts system-wide, delete or modify clinical plans, and edit rule configurations — all operations intended to require administrator privileges. This vulnerability is fixed in 8.0.0.1.
Source : NVD
## 8.1
Score
Publish
Wiz
CVE-2026-33304 Impact, Exploitability, and Mitigation Steps | Wiz
blogs_wiz·CVSS 6.5
CVE-2026-33304 [MEDIUM] CVE-2026-33304 Impact, Exploitability, and Mitigation Steps | Wiz
## CVE-2026-33304 :
OpenEMR vulnerability analysis and mitigation
sentTo[]
sentBy[]
Source : NVD
## 6.5
Score
Published March 19, 2026
Severity MEDIUM
CNA Score 6.5
Affected Technologies
OpenEMR
Has Public Exploit Yes
Has CISA KEV Exploit No
CISA KEV Release Date N/A
CISA KEV Due Date N/A
Exploitation Probability Percentile (EPSS) 22.8
Exploitation Probability (EPSS) 0.1
Affected packages and libraries
cpe:2.3:a:open-emr:openemr
Sources
Linux Severity MEDIUM Has Fix Added at: Mar 20, 2026
Windows Severity MEDIUM Has Fix Added at: Mar 20, 2026
Linux Severity MEDIUM Has Fix Added at: Mar 22, 2026
Windows Severity MEDIUM Has Fix Added at: Mar 22, 2026
## Get a CVE risk assessment
Get a prioritized view of CVEs in your cloud—so you can focus on what's exploitable,
Wiz
CVE-2021-47817 Impact, Exploitability, and Mitigation Steps | Wiz
blogs_wiz·CVSS 4.8
CVE-2021-47817 [MEDIUM] CVE-2021-47817 Impact, Exploitability, and Mitigation Steps | Wiz
## CVE-2021-47817 :
OpenEMR vulnerability analysis and mitigation
OpenEMR 5.0.2.1 contains a cross-site scripting vulnerability that allows authenticated attackers to inject malicious JavaScript through user profile parameters. Attackers can exploit the vulnerability by crafting a malicious payload to download and execute a web shell, enabling remote command execution on the vulnerable OpenEMR instance.
Source : NVD
## 4.8
Score
Published January 21, 2026
Severity MEDIUM
CNA Score 4.8
Affected Technologies
OpenEMR
Has Public Exploit Yes
Has CISA KEV Exploit No
CISA KEV Release Date N/A
CISA KEV Due Date N/A
Exploitation Probability Percentile (EPSS) 9.8
Exploitation Probability (EPSS) N/A
Affected packages and libraries
cpe:2.3:a:open-emr:openemr
Sources
Linux Severit
Wiz
CVE-2026-25135 Impact, Exploitability, and Mitigation Steps | Wiz
blogs_wiz·CVSS 4.5
CVE-2026-25135 [MEDIUM] CVE-2026-25135 Impact, Exploitability, and Mitigation Steps | Wiz
## CVE-2026-25135 :
OpenEMR vulnerability analysis and mitigation
OpenEMR is a free and open source electronic health records and medical practice management application. Versions prior to 8.0.0 have an information disclosure vulnerability that leaks the entire contact information for all users, organizations, and patients in the system to anyone who has the system/(Group,Patient,*).$export operation and system/Location.read capabilities. This vulnerability will impact OpenEMR versions since 2023. This disclosure will only occur in extremely high trust environments as it requires using a confidential client with secure key exchange that requires an administrator to enable and grant permission before the app can even be used. This will typically only occur in server-server communication a
Wiz
CVE-2026-33932 Impact, Exploitability, and Mitigation Steps | Wiz
blogs_wiz·CVSS 7.6
CVE-2026-33932 [HIGH] CVE-2026-33932 Impact, Exploitability, and Mitigation Steps | Wiz
## CVE-2026-33932 :
OpenEMR vulnerability analysis and mitigation
linkHtml
href="javascript:..."
Source : NVD
## 5.4
Score
Published March 26, 2026
Severity MEDIUM
CNA Score 7.6
Affected Technologies
OpenEMR
Has Public Exploit No
Has CISA KEV Exploit No
CISA KEV Release Date N/A
CISA KEV Due Date N/A
Exploitation Probability Percentile (EPSS) 8.5
Exploitation Probability (EPSS) N/A
Affected packages and libraries
cpe:2.3:a:open-emr:openemr
Sources
Linux Severity MEDIUM Has Fix Added at: Mar 26, 2026
Windows Severity MEDIUM Has Fix Added at: Mar 26, 2026
Linux Severity MEDIUM Has Fix Added at: Mar 29, 2026
Windows Severity MEDIUM Has Fix Added at: Mar 29, 2026
## Get a CVE risk assessment
Get a prioritized view of CVEs in your cloud—so you can focus on what's e
Wiz
CVE-2026-29187 Impact, Exploitability, and Mitigation Steps | Wiz
blogs_wiz·CVSS 8.1
CVE-2026-29187 [HIGH] CVE-2026-29187 Impact, Exploitability, and Mitigation Steps | Wiz
## CVE-2026-29187 :
OpenEMR vulnerability analysis and mitigation
OpenEMR is a free and open source electronic health records and medical practice management application. Prior to version 8.0.0.3, a Blind SQL Injection vulnerability exists in the Patient Search functionality (/interface/new/new_search_popup.php). The vulnerability allows an authenticated attacker to execute arbitrary SQL commands by manipulating the HTTP parameter keys rather than the values. Version 8.0.0.3 contains a patch.
Source : NVD
## 8.8
Score
Published March 25, 2026
Severity HIGH
CNA Score 8.1
Affected Technologies
OpenEMR
Has Public Exploit Yes
Has CISA KEV Exploit No
CISA KEV Release Date N/A
CISA KEV Due Date N/A
Exploitation Probability Percentile (EPSS) N/A
Exploitation Probability (EPSS) N
Wiz
CVE-2026-34056 Impact, Exploitability, and Mitigation Steps | Wiz
blogs_wiz·CVSS 4.3
CVE-2026-34056 [MEDIUM] CVE-2026-34056 Impact, Exploitability, and Mitigation Steps | Wiz
## CVE-2026-34056 :
OpenEMR vulnerability analysis and mitigation
OpenEMR is a free and open source electronic health records and medical practice management application. A Broken Access Control vulnerability in OpenEMR up to and including version 8.0.0.3 allows low-privilege users to view and download Ensora eRx error logs without proper authorization checks. This flaw compromises system confidentiality by exposing sensitive information, potentially leading to unauthorized data disclosure and misuse. As of time of publication, no known patches versions are available.
Source : NVD
## 6.5
Score
Published March 26, 2026
Severity MEDIUM
CNA Score 7.7
Affected Technologies
OpenEMR
Has Public Exploit Yes
Has CISA KEV Exploit No
CISA KEV Release Date N/A
CISA KEV Due Date N/A
Ex
Wiz
CVE-2026-33913 Impact, Exploitability, and Mitigation Steps | Wiz
blogs_wiz·CVSS 7.7
CVE-2026-33913 [HIGH] CVE-2026-33913 Impact, Exploitability, and Mitigation Steps | Wiz
## CVE-2026-33913 :
OpenEMR vulnerability analysis and mitigation
Source : NVD
## 4.9
Score
Published March 25, 2026
Severity MEDIUM
CNA Score 7.7
Affected Technologies
OpenEMR
Has Public Exploit Yes
Has CISA KEV Exploit No
CISA KEV Release Date N/A
CISA KEV Due Date N/A
Exploitation Probability Percentile (EPSS) 16.3
Exploitation Probability (EPSS) 0.1
Affected packages and libraries
cpe:2.3:a:open-emr:openemr
Sources
Linux Severity MEDIUM Has Fix Added at: Mar 26, 2026
Windows Severity MEDIUM Has Fix Added at: Mar 26, 2026
Linux Severity MEDIUM Has Fix Added at: Mar 29, 2026
Windows Severity MEDIUM Has Fix Added at: Mar 29, 2026
## Get a CVE risk assessment
Get a prioritized view of CVEs in your cloud—so you can focus on what's exploitable, not just what's lis
Wiz
CVE-2026-33305 Impact, Exploitability, and Mitigation Steps | Wiz
blogs_wiz·CVSS 5.4
CVE-2026-33305 [MEDIUM] CVE-2026-33305 Impact, Exploitability, and Mitigation Steps | Wiz
## CVE-2026-33305 :
OpenEMR vulnerability analysis and mitigation
oe-module-faxsms
getNotificationLog()
AppDispatch
Source : NVD
## 5.4
Score
Published March 19, 2026
Severity MEDIUM
CNA Score 5.4
Affected Technologies
OpenEMR
Has Public Exploit Yes
Has CISA KEV Exploit No
CISA KEV Release Date N/A
CISA KEV Due Date N/A
Exploitation Probability Percentile (EPSS) 19
Exploitation Probability (EPSS) 0.1
Affected packages and libraries
cpe:2.3:a:open-emr:openemr
Sources
Linux Severity MEDIUM Has Fix Added at: Mar 20, 2026
Windows Severity MEDIUM Has Fix Added at: Mar 20, 2026
Linux Severity MEDIUM Has Fix Added at: Mar 22, 2026
Windows Severity MEDIUM Has Fix Added at: Mar 22, 2026
## Get a CVE risk assessment
Get a prioritized view of CVEs in your cloud—so you c
Wiz
CVE-2026-25131 Impact, Exploitability, and Mitigation Steps | Wiz
blogs_wiz·CVSS 8.8
CVE-2026-25131 [HIGH] CVE-2026-25131 Impact, Exploitability, and Mitigation Steps | Wiz
## CVE-2026-25131 :
OpenEMR vulnerability analysis and mitigation
OpenEMR is a free and open source electronic health records and medical practice management application. Prior to version 8.0.0, a Broken Access Control vulnerability exists in the OpenEMR order types management system, allowing low-privilege users (such as Receptionist) to add and modify procedure types without proper authorization. This vulnerability is present in the /openemr/interface/orders/types_edit.php endpoint. Version 8.0.0 contains a patch.
Source : NVD
## 8.8
Score
Published February 25, 2026
Severity HIGH
CNA Score 8.8
Affected Technologies
OpenEMR
Has Public Exploit Yes
Has CISA KEV Exploit No
CISA KEV Release Date N/A
CISA KEV Due Date N/A
Exploitation Probability Percentile (EPSS) 13.5
Explo
Wiz
CVE-2026-33934 Impact, Exploitability, and Mitigation Steps | Wiz
blogs_wiz·CVSS 4.3
CVE-2026-33934 [MEDIUM] CVE-2026-33934 Impact, Exploitability, and Mitigation Steps | Wiz
## CVE-2026-33934 :
OpenEMR vulnerability analysis and mitigation
portal/sign/lib/show-signature.php
user
save-signature.php
Source : NVD
## 4.3
Score
Published March 26, 2026
Severity MEDIUM
CNA Score 4.3
Affected Technologies
OpenEMR
Has Public Exploit Yes
Has CISA KEV Exploit No
CISA KEV Release Date N/A
CISA KEV Due Date N/A
Exploitation Probability Percentile (EPSS) 12.6
Exploitation Probability (EPSS) N/A
Affected packages and libraries
cpe:2.3:a:open-emr:openemr
Sources
Linux Severity MEDIUM Has Fix Added at: Mar 26, 2026
Windows Severity MEDIUM Has Fix Added at: Mar 26, 2026
Linux Severity MEDIUM Has Fix Added at: Mar 29, 2026
Windows Severity MEDIUM Has Fix Added at: Mar 29, 2026
## Get a CVE risk assessment
Get a prioritized view of CVEs in your clo
Wiz
CVE-2026-32125 Impact, Exploitability, and Mitigation Steps | Wiz
blogs_wiz·CVSS 5.4
CVE-2026-32125 [MEDIUM] CVE-2026-32125 Impact, Exploitability, and Mitigation Steps | Wiz
## CVE-2026-32125 :
OpenEMR vulnerability analysis and mitigation
OpenEMR is a free and open source electronic health records and medical practice management application. Prior to 8.0.0.1, track/item names from the Track Anything feature are stored from user input (POST) and later rendered in Dygraph charts (titles/labels) using innerHTML or equivalent without escaping. A user who can create or edit Track Anything items can inject script that runs when any user views the corresponding graph. This vulnerability is fixed in 8.0.0.1.
Source : NVD
## 5.4
Score
Published March 11, 2026
Severity MEDIUM
CNA Score 5.4
Affected Technologies
OpenEMR
Has Public Exploit Yes
Has CISA KEV Exploit No
CISA KEV Release Date N/A
CISA KEV Due Date N/A
Exploitation Probability Percentile (EPS
Wiz
CVE-2025-68277 Impact, Exploitability, and Mitigation Steps | Wiz
blogs_wiz·CVSS 7.2
CVE-2025-68277 [HIGH] CVE-2025-68277 Impact, Exploitability, and Mitigation Steps | Wiz
## CVE-2025-68277 :
OpenEMR vulnerability analysis and mitigation
OpenEMR is a free and open source electronic health records and medical practice management application. Prior to version 7.0.4, when a link is sent via Secure Messaging, clicking the link opens the website within the OpenEMR/Portal site. This behavior could be exploited for phishing. Version 7.0.4 patches the issue.
Source : NVD
## 7.2
Score
Published February 25, 2026
Severity HIGH
CNA Score 7.2
Affected Technologies
OpenEMR
Has Public Exploit Yes
Has CISA KEV Exploit No
CISA KEV Release Date N/A
CISA KEV Due Date N/A
Exploitation Probability Percentile (EPSS) 0.4
Exploitation Probability (EPSS) N/A
Affected packages and libraries
cpe:2.3:a:open-emr:openemr
Sources
Linux Severity MEDIUM Has Fix Added
Wiz
CVE-2026-25476 Impact, Exploitability, and Mitigation Steps | Wiz
blogs_wiz·CVSS 7.5
CVE-2026-25476 [HIGH] CVE-2026-25476 Impact, Exploitability, and Mitigation Steps | Wiz
## CVE-2026-25476 :
OpenEMR vulnerability analysis and mitigation
library/auth.inc.php
skip_timeout_reset
skip_timeout_reset=1
SessionTracker::isSessionExpired()
skip_timeout_reset=1
Source : NVD
## 7.5
Score
Published February 25, 2026
Severity HIGH
CNA Score 7.5
Affected Technologies
OpenEMR
Has Public Exploit Yes
Has CISA KEV Exploit No
CISA KEV Release Date N/A
CISA KEV Due Date N/A
Exploitation Probability Percentile (EPSS) 33.1
Exploitation Probability (EPSS) 0.1
Affected packages and libraries
cpe:2.3:a:open-emr:openemr
Sources
Linux Severity HIGH Has Fix Added at: Mar 02, 2026
Windows Severity HIGH Has Fix Added at: Mar 02, 2026
Linux Severity HIGH Has Fix Added at: Mar 03, 2026
Windows Severity HIGH Has Fix Added at: Mar 03, 2026
## Get a CVE risk as
Wiz
CVE-2026-33915 Impact, Exploitability, and Mitigation Steps | Wiz
blogs_wiz·CVSS 5.4
CVE-2026-33915 [MEDIUM] CVE-2026-33915 Impact, Exploitability, and Mitigation Steps | Wiz
## CVE-2026-33915 :
OpenEMR vulnerability analysis and mitigation
RestConfig::request_authorization_check()
Source : NVD
## 5.4
Score
Published March 26, 2026
Severity MEDIUM
CNA Score 5.4
Affected Technologies
OpenEMR
Has Public Exploit No
Has CISA KEV Exploit No
CISA KEV Release Date N/A
CISA KEV Due Date N/A
Exploitation Probability Percentile (EPSS) 9.9
Exploitation Probability (EPSS) N/A
Affected packages and libraries
cpe:2.3:a:open-emr:openemr
Sources
Linux Severity MEDIUM Has Fix Added at: Mar 26, 2026
Windows Severity MEDIUM Has Fix Added at: Mar 26, 2026
Linux Severity MEDIUM Has Fix Added at: Mar 29, 2026
Windows Severity MEDIUM Has Fix Added at: Mar 29, 2026
## Get a CVE risk assessment
Get a prioritized view of CVEs in your cloud—so you can focus o
Wiz
CVE-2026-33911 Impact, Exploitability, and Mitigation Steps | Wiz
blogs_wiz·CVSS 5.4
CVE-2026-33911 [MEDIUM] CVE-2026-33911 Impact, Exploitability, and Mitigation Steps | Wiz
## CVE-2026-33911 :
OpenEMR vulnerability analysis and mitigation
title
json_encode()
text/html
Source : NVD
## 5.4
Score
Published March 25, 2026
Severity MEDIUM
CNA Score 5.4
Affected Technologies
OpenEMR
Has Public Exploit No
Has CISA KEV Exploit No
CISA KEV Release Date N/A
CISA KEV Due Date N/A
Exploitation Probability Percentile (EPSS) 7.9
Exploitation Probability (EPSS) N/A
Affected packages and libraries
cpe:2.3:a:open-emr:openemr
Sources
Linux Severity MEDIUM Has Fix Added at: Mar 26, 2026
Windows Severity MEDIUM Has Fix Added at: Mar 26, 2026
Linux Severity MEDIUM Has Fix Added at: Mar 29, 2026
Windows Severity MEDIUM Has Fix Added at: Mar 29, 2026
## Get a CVE risk assessment
Get a prioritized view of CVEs in your cloud—so you can focus on what's e
Wiz
CVE-2026-24908 Impact, Exploitability, and Mitigation Steps | Wiz
blogs_wiz·CVSS 9.9
CVE-2026-24908 [CRITICAL] CVE-2026-24908 Impact, Exploitability, and Mitigation Steps | Wiz
## CVE-2026-24908 :
OpenEMR vulnerability analysis and mitigation
_sort
Source : NVD
## 6.5
Score
Published February 25, 2026
Severity MEDIUM
CNA Score 9.9
Affected Technologies
OpenEMR
Has Public Exploit Yes
Has CISA KEV Exploit No
CISA KEV Release Date N/A
CISA KEV Due Date N/A
Exploitation Probability Percentile (EPSS) N/A
Exploitation Probability (EPSS) N/A
Affected packages and libraries
cpe:2.3:a:open-emr:openemr
Sources
Linux Severity MEDIUM Has Fix Added at: Mar 02, 2026
Windows Severity MEDIUM Has Fix Added at: Mar 02, 2026
Linux Severity MEDIUM Has Fix Added at: Mar 03, 2026
Windows Severity MEDIUM Has Fix Added at: Mar 03, 2026
## Get a CVE risk assessment
Get a prioritized view of CVEs in your cloud—so you can focus on what's exploitable, not just w
Wiz
CVE-2026-25743 Impact, Exploitability, and Mitigation Steps | Wiz
blogs_wiz·CVSS 7.2
CVE-2026-25743 [HIGH] CVE-2026-25743 Impact, Exploitability, and Mitigation Steps | Wiz
## CVE-2026-25743 :
OpenEMR vulnerability analysis and mitigation
OpenEMR is a free and open source electronic health records and medical practice management application. Prior to version 8.0.0, users with the "Forms administration" role can fill questionnaires ("forms") in patient encounters. The answers to the forms are displayed on the encounter page and in the visit history for the users with the same role. There exists a stored cross-site scripting (XSS) vulnerability in the function to display the form answers, allowing any authenticated attacker with the specific role to insert arbitrary JavaScript into the system by entering malicious payloads to the form answers. The JavaScript code is later executed by any user with the form role when viewing the form answers in the patient enc
Wiz
CVE-2026-33303 Impact, Exploitability, and Mitigation Steps | Wiz
blogs_wiz·CVSS 5.4
CVE-2026-33303 [MEDIUM] CVE-2026-33303 Impact, Exploitability, and Mitigation Steps | Wiz
## CVE-2026-33303 :
OpenEMR vulnerability analysis and mitigation
portal_login_username
Source : NVD
## 5.4
Score
Published March 19, 2026
Severity MEDIUM
CNA Score 5.4
Affected Technologies
OpenEMR
Has Public Exploit Yes
Has CISA KEV Exploit No
CISA KEV Release Date N/A
CISA KEV Due Date N/A
Exploitation Probability Percentile (EPSS) 11.8
Exploitation Probability (EPSS) N/A
Affected packages and libraries
cpe:2.3:a:open-emr:openemr
Sources
Linux Severity MEDIUM Has Fix Added at: Mar 20, 2026
Windows Severity MEDIUM Has Fix Added at: Mar 20, 2026
Linux Severity MEDIUM Has Fix Added at: Mar 22, 2026
Windows Severity MEDIUM Has Fix Added at: Mar 22, 2026
## Get a CVE risk assessment
Get a prioritized view of CVEs in your cloud—so you can focus on what's exploitab
Wiz
CVE-2026-25929 Impact, Exploitability, and Mitigation Steps | Wiz
blogs_wiz·CVSS 6.5
CVE-2026-25929 [MEDIUM] CVE-2026-25929 Impact, Exploitability, and Mitigation Steps | Wiz
## CVE-2026-25929 :
OpenEMR vulnerability analysis and mitigation
patient_picture
Source : NVD
## 6.5
Score
Published February 25, 2026
Severity MEDIUM
CNA Score 6.5
Affected Technologies
OpenEMR
Has Public Exploit Yes
Has CISA KEV Exploit No
CISA KEV Release Date N/A
CISA KEV Due Date N/A
Exploitation Probability Percentile (EPSS) 29.9
Exploitation Probability (EPSS) 0.1
Affected packages and libraries
cpe:2.3:a:open-emr:openemr
Sources
Linux Severity MEDIUM Has Fix Added at: Mar 02, 2026
Windows Severity MEDIUM Has Fix Added at: Mar 02, 2026
Linux Severity MEDIUM Has Fix Added at: Mar 03, 2026
Windows Severity MEDIUM Has Fix Added at: Mar 03, 2026
## Get a CVE risk assessment
Get a prioritized view of CVEs in your cloud—so you can focus on what's exploitable,
Wiz
CVE-2026-25927 Impact, Exploitability, and Mitigation Steps | Wiz
blogs_wiz·CVSS 7.1
CVE-2026-25927 [HIGH] CVE-2026-25927 Impact, Exploitability, and Mitigation Steps | Wiz
## CVE-2026-25927 :
OpenEMR vulnerability analysis and mitigation
doc_id
Source : NVD
## 7.1
Score
Published February 25, 2026
Severity HIGH
CNA Score 7.1
Affected Technologies
OpenEMR
Has Public Exploit Yes
Has CISA KEV Exploit No
CISA KEV Release Date N/A
CISA KEV Due Date N/A
Exploitation Probability Percentile (EPSS) 29.9
Exploitation Probability (EPSS) 0.1
Affected packages and libraries
cpe:2.3:a:open-emr:openemr
Sources
Linux Severity HIGH Has Fix Added at: Mar 02, 2026
Windows Severity HIGH Has Fix Added at: Mar 02, 2026
Linux Severity HIGH Has Fix Added at: Mar 03, 2026
Windows Severity HIGH Has Fix Added at: Mar 03, 2026
## Get a CVE risk assessment
Get a prioritized view of CVEs in your cloud—so you can focus on what's exploitable, not just what's li
Wiz
CVE-2026-34051 Impact, Exploitability, and Mitigation Steps | Wiz
blogs_wiz·CVSS 4.3
CVE-2026-34051 [MEDIUM] CVE-2026-34051 Impact, Exploitability, and Mitigation Steps | Wiz
## CVE-2026-34051 :
OpenEMR vulnerability analysis and mitigation
OpenEMR is a free and open source electronic health records and medical practice management application. Versions prior to 8.0.0.3 have an improper access control on the Import/Export functionality, allowing unauthorized users to perform import and export actions through direct request manipulation despite UI restrictions. This can lead to unauthorized data access, bulk data extraction, and manipulation of system data. Version 8.0.0.3 contains a fix.
Source : NVD
## 5.4
Score
Published March 26, 2026
Severity MEDIUM
CNA Score 5.4
Affected Technologies
OpenEMR
Has Public Exploit Yes
Has CISA KEV Exploit No
CISA KEV Release Date N/A
CISA KEV Due Date N/A
Exploitation Probability Percentile (EPSS) 4.9
Exploita
Wiz
CVE-2026-25164 Impact, Exploitability, and Mitigation Steps | Wiz
blogs_wiz·CVSS 8.1
CVE-2026-25164 [HIGH] CVE-2026-25164 Impact, Exploitability, and Mitigation Steps | Wiz
## CVE-2026-25164 :
OpenEMR vulnerability analysis and mitigation
apis/routes/_rest_routes_standard.inc.php
RestConfig::request_authorization_check()
Source : NVD
## 8.1
Score
Published February 25, 2026
Severity HIGH
CNA Score 8.1
Affected Technologies
OpenEMR
Has Public Exploit Yes
Has CISA KEV Exploit No
CISA KEV Release Date N/A
CISA KEV Due Date N/A
Exploitation Probability Percentile (EPSS) 29.9
Exploitation Probability (EPSS) 0.1
Affected packages and libraries
cpe:2.3:a:open-emr:openemr
Sources
Linux Severity HIGH Has Fix Added at: Mar 02, 2026
Windows Severity HIGH Has Fix Added at: Mar 02, 2026
Linux Severity HIGH Has Fix Added at: Mar 03, 2026
Windows Severity HIGH Has Fix Added at: Mar 03, 2026
## Get a CVE risk assessment
Get a prioritized view of
Wiz
CVE-2026-33301 Impact, Exploitability, and Mitigation Steps | Wiz
blogs_wiz·CVSS 7.1
CVE-2026-33301 [HIGH] CVE-2026-33301 Impact, Exploitability, and Mitigation Steps | Wiz
## CVE-2026-33301 :
OpenEMR vulnerability analysis and mitigation
Notes - my encounters
Source : NVD
## 7.1
Score
Published March 19, 2026
Severity HIGH
CNA Score 7.1
Affected Technologies
OpenEMR
Has Public Exploit Yes
Has CISA KEV Exploit No
CISA KEV Release Date N/A
CISA KEV Due Date N/A
Exploitation Probability Percentile (EPSS) 28.9
Exploitation Probability (EPSS) 0.1
Affected packages and libraries
cpe:2.3:a:open-emr:openemr
Sources
Linux Severity HIGH Has Fix Added at: Mar 20, 2026
Windows Severity HIGH Has Fix Added at: Mar 20, 2026
Linux Severity HIGH Has Fix Added at: Mar 22, 2026
Windows Severity HIGH Has Fix Added at: Mar 22, 2026
## Get a CVE risk assessment
Get a prioritized view of CVEs in your cloud—so you can focus on what's exploitable, not ju
Wiz
CVE-2026-24488 Impact, Exploitability, and Mitigation Steps | Wiz
blogs_wiz·CVSS 6.5
CVE-2026-24488 [MEDIUM] CVE-2026-24488 Impact, Exploitability, and Mitigation Steps | Wiz
## CVE-2026-24488 :
OpenEMR vulnerability analysis and mitigation
OpenEMR is a free and open source electronic health records and medical practice management application. In versions up to and including 8.0.0, an arbitrary file exfiltration vulnerability in the fax sending endpoint allows any authenticated user to read and transmit any file on the server (including database credentials, patient documents, system files, and source code) via fax to an attacker-controlled phone number. The vulnerability exists because the endpoint accepts arbitrary file paths from user input and streams them to the fax gateway without path restrictions or authorization checks. As of time of publication, no known patched versions are available.
Source : NVD
## 6.5
Score
Published February 27, 2026
Sev
Wiz
CVE-2026-33299 Impact, Exploitability, and Mitigation Steps | Wiz
blogs_wiz·CVSS 8.5
CVE-2026-33299 [HIGH] CVE-2026-33299 Impact, Exploitability, and Mitigation Steps | Wiz
## CVE-2026-33299 :
OpenEMR vulnerability analysis and mitigation
Notes - my encounters
Source : NVD
## 8.5
Score
Published March 19, 2026
Severity HIGH
CNA Score 8.5
Affected Technologies
OpenEMR
Has Public Exploit Yes
Has CISA KEV Exploit No
CISA KEV Release Date N/A
CISA KEV Due Date N/A
Exploitation Probability Percentile (EPSS) 38.8
Exploitation Probability (EPSS) 0.2
Affected packages and libraries
cpe:2.3:a:open-emr:openemr
Sources
Linux Severity MEDIUM Has Fix Added at: Mar 20, 2026
Windows Severity MEDIUM Has Fix Added at: Mar 20, 2026
Linux Severity MEDIUM Has Fix Added at: Mar 22, 2026
Windows Severity MEDIUM Has Fix Added at: Mar 22, 2026
## Get a CVE risk assessment
Get a prioritized view of CVEs in your cloud—so you can focus on what's exploitable
Wiz
CVE-2026-33348 Impact, Exploitability, and Mitigation Steps | Wiz
blogs_wiz·CVSS 8.7
CVE-2026-33348 [HIGH] CVE-2026-33348 Impact, Exploitability, and Mitigation Steps | Wiz
## CVE-2026-33348 :
OpenEMR vulnerability analysis and mitigation
Notes - my encounters
Source : NVD
## 5.4
Score
Published March 25, 2026
Severity MEDIUM
CNA Score 8.7
Affected Technologies
OpenEMR
Has Public Exploit Yes
Has CISA KEV Exploit No
CISA KEV Release Date N/A
CISA KEV Due Date N/A
Exploitation Probability Percentile (EPSS) 21.4
Exploitation Probability (EPSS) 0.1
Affected packages and libraries
cpe:2.3:a:open-emr:openemr
Sources
Linux Severity MEDIUM Has Fix Added at: Mar 26, 2026
Windows Severity MEDIUM Has Fix Added at: Mar 26, 2026
Linux Severity MEDIUM Has Fix Added at: Mar 29, 2026
Windows Severity MEDIUM Has Fix Added at: Mar 29, 2026
## Get a CVE risk assessment
Get a prioritized view of CVEs in your cloud—so you can focus on what's exploitab
Wiz
CVE-2026-33302 Impact, Exploitability, and Mitigation Steps | Wiz
blogs_wiz·CVSS 7.3
CVE-2026-33302 [HIGH] CVE-2026-33302 Impact, Exploitability, and Mitigation Steps | Wiz
## CVE-2026-33302 :
OpenEMR vulnerability analysis and mitigation
AclMain::zhAclCheck()
Source : NVD
## 7.3
Score
Published March 19, 2026
Severity HIGH
CNA Score 7.3
Affected Technologies
OpenEMR
Has Public Exploit Yes
Has CISA KEV Exploit No
CISA KEV Release Date N/A
CISA KEV Due Date N/A
Exploitation Probability Percentile (EPSS) 27.5
Exploitation Probability (EPSS) 0.1
Affected packages and libraries
cpe:2.3:a:open-emr:openemr
Sources
Linux Severity HIGH Has Fix Added at: Mar 20, 2026
Windows Severity HIGH Has Fix Added at: Mar 20, 2026
Linux Severity HIGH Has Fix Added at: Mar 22, 2026
Windows Severity HIGH Has Fix Added at: Mar 22, 2026
## Get a CVE risk assessment
Get a prioritized view of CVEs in your cloud—so you can focus on what's exploitable, not ju
Wiz
CVE-2026-34053 Impact, Exploitability, and Mitigation Steps | Wiz
blogs_wiz·CVSS 4.3
CVE-2026-34053 [MEDIUM] CVE-2026-34053 Impact, Exploitability, and Mitigation Steps | Wiz
## CVE-2026-34053 :
OpenEMR vulnerability analysis and mitigation
interface/forms/procedure_order/handle_deletions.php
Source : NVD
## 8.1
Score
Published March 26, 2026
Severity HIGH
CNA Score 7.1
Affected Technologies
OpenEMR
Has Public Exploit Yes
Has CISA KEV Exploit No
CISA KEV Release Date N/A
CISA KEV Due Date N/A
Exploitation Probability Percentile (EPSS) 13.9
Exploitation Probability (EPSS) N/A
Affected packages and libraries
cpe:2.3:a:open-emr:openemr
Sources
Linux Severity HIGH Has Fix Added at: Mar 26, 2026
Windows Severity HIGH Has Fix Added at: Mar 26, 2026
Linux Severity HIGH Has Fix Added at: Mar 29, 2026
Windows Severity HIGH Has Fix Added at: Mar 29, 2026
## Get a CVE risk assessment
Get a prioritized view of CVEs in your cloud—so you can focu
Wiz
CVE-2026-32121 Impact, Exploitability, and Mitigation Steps | Wiz
blogs_wiz·CVSS 7.7
CVE-2026-32121 [HIGH] CVE-2026-32121 Impact, Exploitability, and Mitigation Steps | Wiz
## CVE-2026-32121 :
OpenEMR vulnerability analysis and mitigation
OpenEMR is a free and open source electronic health records and medical practice management application. Prior to 8.0.0.1, Stored XSS in prescription CSS/HTML print view via patient demographics. That finding involves server-side rendering of patient names via raw PHP echo. This finding involves client-side DOM-based rendering via jQuery .html() in a completely different component (portal/sign/assets/signer_api.js). The two share the same root cause (unsanitized patient names in patient_data), but they have different sinks, different affected components, different trigger actions, and require independent fixes. This vulnerability is fixed in 8.0.0.1.
Source : NVD
## 5.4
Score
Published March 11, 2026
Severity MEDIUM
Wiz
CVE-2026-25127 Impact, Exploitability, and Mitigation Steps | Wiz
blogs_wiz·CVSS 7.0
CVE-2026-25127 [HIGH] CVE-2026-25127 Impact, Exploitability, and Mitigation Steps | Wiz
## CVE-2026-25127 :
OpenEMR vulnerability analysis and mitigation
OpenEMR is a free and open source electronic health records and medical practice management application. Prior to version 8.0.0, the server does not properly validate user permission. Unauthorized users can view the information of authorized users. Version 8.0.0 fixes the issue.
Source : NVD
## 7
Score
Published February 25, 2026
Severity HIGH
CNA Score 7.0
Affected Technologies
OpenEMR
Has Public Exploit Yes
Has CISA KEV Exploit No
CISA KEV Release Date N/A
CISA KEV Due Date N/A
Exploitation Probability Percentile (EPSS) 29.9
Exploitation Probability (EPSS) 0.1
Affected packages and libraries
cpe:2.3:a:open-emr:openemr
Sources
Linux Severity MEDIUM Has Fix Added at: Mar 02, 2026
Windows Severity MEDIU
Wiz
CVE-2026-33918 Impact, Exploitability, and Mitigation Steps | Wiz
blogs_wiz·CVSS 7.6
CVE-2026-33918 [HIGH] CVE-2026-33918 Impact, Exploitability, and Mitigation Steps | Wiz
## CVE-2026-33918 :
OpenEMR vulnerability analysis and mitigation
interface/billing/get_claim_file.php
Source : NVD
## 8.8
Score
Published March 26, 2026
Severity HIGH
CNA Score 7.6
Affected Technologies
OpenEMR
Has Public Exploit No
Has CISA KEV Exploit No
CISA KEV Release Date N/A
CISA KEV Due Date N/A
Exploitation Probability Percentile (EPSS) 10.7
Exploitation Probability (EPSS) N/A
Affected packages and libraries
cpe:2.3:a:open-emr:openemr
Sources
Linux Severity HIGH Has Fix Added at: Mar 26, 2026
Windows Severity HIGH Has Fix Added at: Mar 26, 2026
Linux Severity HIGH Has Fix Added at: Mar 29, 2026
Windows Severity HIGH Has Fix Added at: Mar 29, 2026
## Get a CVE risk assessment
Get a prioritized view of CVEs in your cloud—so you can focus on what's explo
Wiz
CVE-2026-21443 Impact, Exploitability, and Mitigation Steps | Wiz
blogs_wiz·CVSS 1.2
CVE-2026-21443 [LOW] CVE-2026-21443 Impact, Exploitability, and Mitigation Steps | Wiz
## CVE-2026-21443 :
OpenEMR vulnerability analysis and mitigation
xl()
xlt()
xla()
xlj()
xl()
Source : NVD
## 1.2
Score
Published February 25, 2026
Severity LOW
CNA Score 1.2
Affected Technologies
OpenEMR
Has Public Exploit No
Has CISA KEV Exploit No
CISA KEV Release Date N/A
CISA KEV Due Date N/A
Exploitation Probability Percentile (EPSS) 32.1
Exploitation Probability (EPSS) 0.1
Affected packages and libraries
cpe:2.3:a:open-emr:openemr
Sources
Linux Severity MEDIUM Has Fix Added at: Mar 02, 2026
Windows Severity MEDIUM Has Fix Added at: Mar 02, 2026
Linux Severity MEDIUM Has Fix Added at: Mar 03, 2026
Windows Severity MEDIUM Has Fix Added at: Mar 03, 2026
## Get a CVE risk assessment
Get a prioritized view of CVEs in your cloud—so you can focus on what's
Wiz
CVE-2025-67752 Impact, Exploitability, and Mitigation Steps | Wiz
blogs_wiz·CVSS 8.1
CVE-2025-67752 [HIGH] CVE-2025-67752 Impact, Exploitability, and Mitigation Steps | Wiz
## CVE-2025-67752 :
OpenEMR vulnerability analysis and mitigation
oeHttp
oeHttpRequest
verify: false
Source : NVD
## 8.1
Score
Published February 25, 2026
Severity HIGH
CNA Score 8.1
Affected Technologies
OpenEMR
Has Public Exploit Yes
Has CISA KEV Exploit No
CISA KEV Release Date N/A
CISA KEV Due Date N/A
Exploitation Probability Percentile (EPSS) 0.7
Exploitation Probability (EPSS) N/A
Affected packages and libraries
cpe:2.3:a:open-emr:openemr
Sources
Linux Severity HIGH Has Fix Added at: Mar 02, 2026
Windows Severity HIGH Has Fix Added at: Mar 02, 2026
Linux Severity HIGH Has Fix Added at: Mar 03, 2026
Windows Severity HIGH Has Fix Added at: Mar 03, 2026
## Get a CVE risk assessment
Get a prioritized view of CVEs in your cloud—so you can focus on what's ex
Wiz
CVE-2026-32124 Impact, Exploitability, and Mitigation Steps | Wiz
blogs_wiz·CVSS 5.4
CVE-2026-32124 [MEDIUM] CVE-2026-32124 Impact, Exploitability, and Mitigation Steps | Wiz
## CVE-2026-32124 :
OpenEMR vulnerability analysis and mitigation
OpenEMR is a free and open source electronic health records and medical practice management application. Prior to 8.0.0.1, the dynamic code picker AJAX endpoint returns code descriptions (code_text) that are rendered in the front end (e.g. DataTables) without HTML escaping. If an administrator (or user with code management rights) creates or edits a code with a malicious description containing script, that script runs in the browser of every user who uses the picker. This vulnerability is fixed in 8.0.0.1.
Source : NVD
## 5.4
Score
Published March 11, 2026
Severity MEDIUM
CNA Score 5.4
Affected Technologies
OpenEMR
Has Public Exploit Yes
Has CISA KEV Exploit No
CISA KEV Release Date N/A
CISA KEV Due Date N/A
Wiz
CVE-2026-24848 Impact, Exploitability, and Mitigation Steps | Wiz
blogs_wiz·CVSS 8.7
CVE-2026-24848 [HIGH] CVE-2026-24848 Impact, Exploitability, and Mitigation Steps | Wiz
## CVE-2026-24848 :
OpenEMR vulnerability analysis and mitigation
OpenEMR is a free and open source electronic health records and medical practice management application. In 7.0.4 and earlier, the disposeDocument() method in EtherFaxActions.php allows authenticated users to write arbitrary content to arbitrary locations on the server filesystem. This vulnerability can be exploited to achieve Remote Code Execution (RCE) by uploading malicious PHP web shells.
Source : NVD
## 8.7
Score
Published March 3, 2026
Severity HIGH
CNA Score 8.7
Affected Technologies
OpenEMR
Has Public Exploit Yes
Has CISA KEV Exploit No
CISA KEV Release Date N/A
CISA KEV Due Date N/A
Exploitation Probability Percentile (EPSS) 49.9
Exploitation Probability (EPSS) 0.3
Affected packages and libraries
Wiz
CVE-2026-32119 Impact, Exploitability, and Mitigation Steps | Wiz
blogs_wiz·CVSS 4.4
CVE-2026-32119 [MEDIUM] CVE-2026-32119 Impact, Exploitability, and Mitigation Steps | Wiz
## CVE-2026-32119 :
OpenEMR vulnerability analysis and mitigation
library/js/SearchHighlight.js
$()
Source : NVD
## 4.4
Score
Published March 19, 2026
Severity MEDIUM
CNA Score 4.4
Affected Technologies
OpenEMR
Has Public Exploit Yes
Has CISA KEV Exploit No
CISA KEV Release Date N/A
CISA KEV Due Date N/A
Exploitation Probability Percentile (EPSS) 1.6
Exploitation Probability (EPSS) N/A
Affected packages and libraries
cpe:2.3:a:open-emr:openemr
Sources
Linux Severity MEDIUM Has Fix Added at: Mar 20, 2026
Windows Severity MEDIUM Has Fix Added at: Mar 20, 2026
Linux Severity MEDIUM Has Fix Added at: Mar 22, 2026
Windows Severity MEDIUM Has Fix Added at: Mar 22, 2026
## Get a CVE risk assessment
Get a prioritized view of CVEs in your cloud—so you can focus on what
Wiz
CVE-2026-32127 Impact, Exploitability, and Mitigation Steps | Wiz
blogs_wiz·CVSS 8.8
CVE-2026-32127 [HIGH] CVE-2026-32127 Impact, Exploitability, and Mitigation Steps | Wiz
## CVE-2026-32127 :
OpenEMR vulnerability analysis and mitigation
OpenEMR is a free and open source electronic health records and medical practice management application. Prior to 8.0.0.1, OpenEMR contains a SQL injection vulnerability in the ajax graphs library that can be exploited by authenticated attackers. The vulnerability exists due to insufficient input validation in the ajax graphs library. This vulnerability is fixed in 8.0.0.1.
Source : NVD
## 8.8
Score
Published March 11, 2026
Severity HIGH
CNA Score 8.8
Affected Technologies
OpenEMR
Has Public Exploit Yes
Has CISA KEV Exploit No
CISA KEV Release Date N/A
CISA KEV Due Date N/A
Exploitation Probability Percentile (EPSS) N/A
Exploitation Probability (EPSS) N/A
Affected packages and libraries
cpe:2.3:a:open-emr
Wiz
CVE-2026-33321 Impact, Exploitability, and Mitigation Steps | Wiz
blogs_wiz·CVSS 7.2
CVE-2026-33321 [HIGH] CVE-2026-33321 Impact, Exploitability, and Mitigation Steps | Wiz
## CVE-2026-33321 :
OpenEMR vulnerability analysis and mitigation
Notes - my encounters
Source : NVD
## 7.2
Score
Published March 19, 2026
Severity HIGH
CNA Score 7.2
Affected Technologies
OpenEMR
Has Public Exploit Yes
Has CISA KEV Exploit No
CISA KEV Release Date N/A
CISA KEV Due Date N/A
Exploitation Probability Percentile (EPSS) 28.5
Exploitation Probability (EPSS) 0.1
Affected packages and libraries
cpe:2.3:a:open-emr:openemr
Sources
Linux Severity HIGH Has Fix Added at: Mar 20, 2026
Windows Severity HIGH Has Fix Added at: Mar 20, 2026
Linux Severity HIGH Has Fix Added at: Mar 22, 2026
Windows Severity HIGH Has Fix Added at: Mar 22, 2026
## Get a CVE risk assessment
Get a prioritized view of CVEs in your cloud—so you can focus on what's exploitable, not ju
Wiz
CVE-2026-33909 Impact, Exploitability, and Mitigation Steps | Wiz
blogs_wiz·CVSS 5.9
CVE-2026-33909 [MEDIUM] CVE-2026-33909 Impact, Exploitability, and Mitigation Steps | Wiz
## CVE-2026-33909 :
OpenEMR vulnerability analysis and mitigation
OpenEMR is a free and open source electronic health records and medical practice management application. Prior to version 8.0.0.3, several variables in the MedEx recall/reminder processing code are concatenated directly into SQL queries without parameterization or type casting, enabling SQL injection. Version 8.0.0.3 contains a patch.
Source : NVD
## 5.9
Score
Published March 25, 2026
Severity MEDIUM
CNA Score 5.9
Affected Technologies
OpenEMR
Has Public Exploit No
Has CISA KEV Exploit No
CISA KEV Release Date N/A
CISA KEV Due Date N/A
Exploitation Probability Percentile (EPSS) N/A
Exploitation Probability (EPSS) N/A
Affected packages and libraries
cpe:2.3:a:open-emr:openemr
Sources
Linux Severity MEDIU
Wiz
CVE-2026-32123 Impact, Exploitability, and Mitigation Steps | Wiz
blogs_wiz·CVSS 7.7
CVE-2026-32123 [HIGH] CVE-2026-32123 Impact, Exploitability, and Mitigation Steps | Wiz
## CVE-2026-32123 :
OpenEMR vulnerability analysis and mitigation
OpenEMR is a free and open source electronic health records and medical practice management application. Prior to 8.0.0.1, sensitivity checks for group encounters are broken because the code only consults form_encounter for sensitivity, while group encounters store sensitivity in form_groups_encounter. As a result, sensitivity is never correctly applied to group encounters, and users who should be restricted from viewing sensitive (e.g. mental health) encounters can view them. This vulnerability is fixed in 8.0.0.1.
Source : NVD
## 6.5
Score
Published March 11, 2026
Severity MEDIUM
CNA Score 7.7
Affected Technologies
OpenEMR
Has Public Exploit Yes
Has CISA KEV Exploit No
CISA KEV Release Date N/A
CISA KEV Due
Wiz
CVE-2026-25147 Impact, Exploitability, and Mitigation Steps | Wiz
blogs_wiz·CVSS 7.1
CVE-2026-25147 [HIGH] CVE-2026-25147 Impact, Exploitability, and Mitigation Steps | Wiz
## CVE-2026-25147 :
OpenEMR vulnerability analysis and mitigation
portal/portal_payment.php
$pid = $_REQUEST['pid'] ?? $pid
$pid = ($_REQUEST['hidden_patient_code'] ?? null) > 0 ? $_REQUEST['hidden_patient_code'] : $pid
$pid
Source : NVD
## 7.1
Score
Published February 27, 2026
Severity HIGH
CNA Score 7.1
Affected Technologies
OpenEMR
Has Public Exploit Yes
Has CISA KEV Exploit No
CISA KEV Release Date N/A
CISA KEV Due Date N/A
Exploitation Probability Percentile (EPSS) 29.9
Exploitation Probability (EPSS) 0.1
Affected packages and libraries
cpe:2.3:a:open-emr:openemr
Sources
Linux Severity HIGH Has Fix Added at: Mar 02, 2026
Windows Severity HIGH Has Fix Added at: Mar 02, 2026
Linux Severity HIGH Has Fix Added at: Mar 04, 2026
Windows Severity HIGH Has Fix Adde
Wiz
CVE-2026-33931 Impact, Exploitability, and Mitigation Steps | Wiz
blogs_wiz·CVSS 6.5
CVE-2026-33931 [MEDIUM] CVE-2026-33931 Impact, Exploitability, and Mitigation Steps | Wiz
## CVE-2026-33931 :
OpenEMR vulnerability analysis and mitigation
recid
portal/portal_payment.php
Source : NVD
## 6.5
Score
Published March 26, 2026
Severity MEDIUM
CNA Score 6.5
Affected Technologies
OpenEMR
Has Public Exploit Yes
Has CISA KEV Exploit No
CISA KEV Release Date N/A
CISA KEV Due Date N/A
Exploitation Probability Percentile (EPSS) 12.3
Exploitation Probability (EPSS) N/A
Affected packages and libraries
cpe:2.3:a:open-emr:openemr
Sources
Linux Severity MEDIUM Has Fix Added at: Mar 26, 2026
Windows Severity MEDIUM Has Fix Added at: Mar 26, 2026
Linux Severity MEDIUM Has Fix Added at: Mar 29, 2026
Windows Severity MEDIUM Has Fix Added at: Mar 29, 2026
## Get a CVE risk assessment
Get a prioritized view of CVEs in your cloud—so you can focus on what'
Wiz
CVE-2026-32238 Impact, Exploitability, and Mitigation Steps | Wiz
blogs_wiz·CVSS 9.1
CVE-2026-32238 [CRITICAL] CVE-2026-32238 Impact, Exploitability, and Mitigation Steps | Wiz
## CVE-2026-32238 :
OpenEMR vulnerability analysis and mitigation
OpenEMR is a free and open source electronic health records and medical practice management application. Versions prior to 8.0.0.2 contain a Command injection vulnerability in the backup functionality that can be exploited by authenticated attackers. The vulnerability exists due to insufficient input validation in the backup functionality. Version 8.0.0.2 fixes the issue.
Source : NVD
## 9.1
Score
Published March 19, 2026
Severity CRITICAL
CNA Score 9.1
Affected Technologies
OpenEMR
Has Public Exploit Yes
Has CISA KEV Exploit No
CISA KEV Release Date N/A
CISA KEV Due Date N/A
Exploitation Probability Percentile (EPSS) 61.1
Exploitation Probability (EPSS) 0.4
Affected packages and libraries
cpe:2.3:a:open-
Wiz
CVE-2025-54373 Impact, Exploitability, and Mitigation Steps | Wiz
blogs_wiz·CVSS 7.1
CVE-2025-54373 [HIGH] CVE-2025-54373 Impact, Exploitability, and Mitigation Steps | Wiz
## CVE-2025-54373 :
OpenEMR vulnerability analysis and mitigation
OpenEMR is a free and open source electronic health records and medical practice management application. Versions prior to 7.0.4 have a vulnerability where sensitive data is unintentionally revealed to unauthorized parties. Contents of Clinical Notes and Care Plan, where an encounter has Sensitivity=high, can be viewed and changed by users who do not have Sensitivities=high privilege. Version 7.0.4 fixes the issue.
Source : NVD
## 7.1
Score
Published January 28, 2026
Severity HIGH
CNA Score 7.1
Affected Technologies
OpenEMR
Has Public Exploit Yes
Has CISA KEV Exploit No
CISA KEV Release Date N/A
CISA KEV Due Date N/A
Exploitation Probability Percentile (EPSS) 10.1
Exploitation Probability (EPSS) N/A
Affect
Wiz
CVE-2026-24898 Impact, Exploitability, and Mitigation Steps | Wiz
blogs_wiz·CVSS 10.0
CVE-2026-24898 [CRITICAL] CVE-2026-24898 Impact, Exploitability, and Mitigation Steps | Wiz
## CVE-2026-24898 :
OpenEMR vulnerability analysis and mitigation
OpenEMR is a free and open source electronic health records and medical practice management application. Prior to 8.0.0, an unauthenticated token disclosure vulnerability in the MedEx callback endpoint allows any unauthenticated visitor to obtain the practice's MedEx API tokens, leading to complete third-party service compromise, PHI exfiltration, unauthorized actions on the MedEx platform, and HIPAA violations. The vulnerability exists because the endpoint bypasses authentication ($ignoreAuth = true) and performs a MedEx login whenever $_POST['callback_key'] is provided, returning the full JSON response including sensitive API tokens. This vulnerability is fixed in 8.0.0.
Source : NVD
## 9.8
Score
Published March 3,
Wiz
CVE-2026-24890 Impact, Exploitability, and Mitigation Steps | Wiz
blogs_wiz·CVSS 8.1
CVE-2026-24890 [HIGH] CVE-2026-24890 Impact, Exploitability, and Mitigation Steps | Wiz
## CVE-2026-24890 :
OpenEMR vulnerability analysis and mitigation
type=admin-signature
Source : NVD
## 6.5
Score
Published February 25, 2026
Severity MEDIUM
CNA Score 8.1
Affected Technologies
OpenEMR
Has Public Exploit Yes
Has CISA KEV Exploit No
CISA KEV Release Date N/A
CISA KEV Due Date N/A
Exploitation Probability Percentile (EPSS) 25.1
Exploitation Probability (EPSS) 0.1
Affected packages and libraries
cpe:2.3:a:open-emr:openemr
Sources
Linux Severity MEDIUM Has Fix Added at: Mar 02, 2026
Windows Severity MEDIUM Has Fix Added at: Mar 02, 2026
Linux Severity MEDIUM Has Fix Added at: Mar 03, 2026
Windows Severity MEDIUM Has Fix Added at: Mar 03, 2026
## Get a CVE risk assessment
Get a prioritized view of CVEs in your cloud—so you can focus on what's exploit
Wiz
CVE-2026-32118 Impact, Exploitability, and Mitigation Steps | Wiz
blogs_wiz·CVSS 5.4
CVE-2026-32118 [MEDIUM] CVE-2026-32118 Impact, Exploitability, and Mitigation Steps | Wiz
## CVE-2026-32118 :
OpenEMR vulnerability analysis and mitigation
OpenEMR is a free and open source electronic health records and medical practice management application. Prior to 8.0.0.1, stored cross-site scripting (XSS) in the Graphical Pain Map ("clickmap") form allows any authenticated clinician to inject arbitrary JavaScript that executes in the browser of every subsequent user who views the affected encounter form. Because session cookies are not marked HttpOnly, this enables full session hijacking of other users, including administrators. This vulnerability is fixed in 8.0.0.1.
Source : NVD
## 9
Score
Published March 11, 2026
Severity CRITICAL
CNA Score 5.4
Affected Technologies
OpenEMR
Has Public Exploit Yes
Has CISA KEV Exploit No
CISA KEV Release Date N/A
CISA KE
Wiz
CVE-2026-25744 Impact, Exploitability, and Mitigation Steps | Wiz
blogs_wiz·CVSS 6.5
CVE-2026-25744 [MEDIUM] CVE-2026-25744 Impact, Exploitability, and Mitigation Steps | Wiz
## CVE-2026-25744 :
OpenEMR vulnerability analysis and mitigation
id
id
Source : NVD
## 6.5
Score
Published March 19, 2026
Severity MEDIUM
CNA Score 6.5
Affected Technologies
OpenEMR
Has Public Exploit Yes
Has CISA KEV Exploit No
CISA KEV Release Date N/A
CISA KEV Due Date N/A
Exploitation Probability Percentile (EPSS) 27.8
Exploitation Probability (EPSS) 0.1
Affected packages and libraries
cpe:2.3:a:open-emr:openemr
Sources
Linux Severity MEDIUM Has Fix Added at: Mar 20, 2026
Windows Severity MEDIUM Has Fix Added at: Mar 20, 2026
Linux Severity MEDIUM Has Fix Added at: Mar 22, 2026
Windows Severity MEDIUM Has Fix Added at: Mar 22, 2026
## Get a CVE risk assessment
Get a prioritized view of CVEs in your cloud—so you can focus on what's exploitable, not just wh
Wiz
CVE-2026-33914 Impact, Exploitability, and Mitigation Steps | Wiz
blogs_wiz·CVSS 7.2
CVE-2026-33914 [HIGH] CVE-2026-33914 Impact, Exploitability, and Mitigation Steps | Wiz
## CVE-2026-33914 :
OpenEMR vulnerability analysis and mitigation
categoriesUpdate
dels
pnVarCleanFromInput()
DELETE
executeStatement()
Source : NVD
## 7.2
Score
Published March 26, 2026
Severity HIGH
CNA Score 7.2
Affected Technologies
OpenEMR
Has Public Exploit Yes
Has CISA KEV Exploit No
CISA KEV Release Date N/A
CISA KEV Due Date N/A
Exploitation Probability Percentile (EPSS) N/A
Exploitation Probability (EPSS) N/A
Affected packages and libraries
cpe:2.3:a:open-emr:openemr
Sources
Linux Severity HIGH Has Fix Added at: Mar 26, 2026
Windows Severity HIGH Has Fix Added at: Mar 26, 2026
Linux Severity HIGH Has Fix Added at: Mar 29, 2026
Windows Severity HIGH Has Fix Added at: Mar 29, 2026
## Get a CVE risk assessment
Get a prioritized view of CVEs in your c
Wiz
CVE-2026-24487 Impact, Exploitability, and Mitigation Steps | Wiz
blogs_wiz·CVSS 5.7
CVE-2026-24487 [MEDIUM] CVE-2026-24487 Impact, Exploitability, and Mitigation Steps | Wiz
## CVE-2026-24487 :
OpenEMR vulnerability analysis and mitigation
FhirCareTeamService
IPatientCompartmentResourceService
Source : NVD
## 5.7
Score
Published February 25, 2026
Severity MEDIUM
CNA Score 5.7
Affected Technologies
OpenEMR
Has Public Exploit Yes
Has CISA KEV Exploit No
CISA KEV Release Date N/A
CISA KEV Due Date N/A
Exploitation Probability Percentile (EPSS) 25.1
Exploitation Probability (EPSS) 0.1
Affected packages and libraries
cpe:2.3:a:open-emr:openemr
Sources
Linux Severity MEDIUM Has Fix Added at: Mar 02, 2026
Windows Severity MEDIUM Has Fix Added at: Mar 02, 2026
Linux Severity MEDIUM Has Fix Added at: Mar 03, 2026
Windows Severity MEDIUM Has Fix Added at: Mar 03, 2026
## Get a CVE risk assessment
Get a prioritized view of CVEs in your cloud
Wiz
CVE-2026-34055 Impact, Exploitability, and Mitigation Steps | Wiz
blogs_wiz·CVSS 4.3
CVE-2026-34055 [MEDIUM] CVE-2026-34055 Impact, Exploitability, and Mitigation Steps | Wiz
## CVE-2026-34055 :
OpenEMR vulnerability analysis and mitigation
library/pnotes.inc.php
WHERE id = ?
Source : NVD
## 6.3
Score
Published March 26, 2026
Severity MEDIUM
CNA Score 8.1
Affected Technologies
OpenEMR
Has Public Exploit No
Has CISA KEV Exploit No
CISA KEV Release Date N/A
CISA KEV Due Date N/A
Exploitation Probability Percentile (EPSS) 4.3
Exploitation Probability (EPSS) N/A
Affected packages and libraries
cpe:2.3:a:open-emr:openemr
Sources
Linux Severity MEDIUM Has Fix Added at: Mar 26, 2026
Windows Severity MEDIUM Has Fix Added at: Mar 26, 2026
Linux Severity MEDIUM Has Fix Added at: Mar 29, 2026
Windows Severity MEDIUM Has Fix Added at: Mar 29, 2026
## Get a CVE risk assessment
Get a prioritized view of CVEs in your cloud—so you can focus on wha
Wiz
CVE-2026-25746 Impact, Exploitability, and Mitigation Steps | Wiz
blogs_wiz·CVSS 8.8
CVE-2026-25746 [HIGH] CVE-2026-25746 Impact, Exploitability, and Mitigation Steps | Wiz
## CVE-2026-25746 :
OpenEMR vulnerability analysis and mitigation
OpenEMR is a free and open source electronic health records and medical practice management application. Versions prior to 8.0.0 contain a SQL injection vulnerability in prescription that can be exploited by authenticated attackers. The vulnerability exists due to insufficient input validation in the prescription listing functionality. Version 8.0.0 fixes the vulnerability.
Source : NVD
## 8.8
Score
Published February 25, 2026
Severity HIGH
CNA Score 8.8
Affected Technologies
OpenEMR
Has Public Exploit Yes
Has CISA KEV Exploit No
CISA KEV Release Date N/A
CISA KEV Due Date N/A
Exploitation Probability Percentile (EPSS) 0.1
Exploitation Probability (EPSS) N/A
Affected packages and libraries
cpe:2.3:a:open-
Wiz
CVE-2026-33912 Impact, Exploitability, and Mitigation Steps | Wiz
blogs_wiz·CVSS 5.4
CVE-2026-33912 [MEDIUM] CVE-2026-33912 Impact, Exploitability, and Mitigation Steps | Wiz
## CVE-2026-33912 :
OpenEMR vulnerability analysis and mitigation
OpenEMR is a free and open source electronic health records and medical practice management application. Prior to version 8.0.0.3, an authenticated attacker could craft a malicious form that, when submitted by a victim, executes arbitrary JavaScript in the victim's browser session. Version 8.0.0.3 patches the issue.
Source : NVD
## 5.4
Score
Published March 25, 2026
Severity MEDIUM
CNA Score 5.4
Affected Technologies
OpenEMR
Has Public Exploit No
Has CISA KEV Exploit No
CISA KEV Release Date N/A
CISA KEV Due Date N/A
Exploitation Probability Percentile (EPSS) 8.4
Exploitation Probability (EPSS) N/A
Affected packages and libraries
cpe:2.3:a:open-emr:openemr
Sources
Linux Severity MEDIUM Has Fix Added at:
Wiz
CVE-2026-27943 Impact, Exploitability, and Mitigation Steps | Wiz
blogs_wiz·CVSS 6.5
CVE-2026-27943 [MEDIUM] CVE-2026-27943 Impact, Exploitability, and Mitigation Steps | Wiz
## CVE-2026-27943 :
OpenEMR vulnerability analysis and mitigation
form_id
main
Source : NVD
## 6.5
Score
Published February 26, 2026
Severity MEDIUM
CNA Score 6.5
Affected Technologies
OpenEMR
Has Public Exploit Yes
Has CISA KEV Exploit No
CISA KEV Release Date N/A
CISA KEV Due Date N/A
Exploitation Probability Percentile (EPSS) 29.9
Exploitation Probability (EPSS) 0.1
Affected packages and libraries
cpe:2.3:a:open-emr:openemr
Sources
Linux Severity MEDIUM No Fix Added at: Mar 02, 2026
Windows Severity MEDIUM No Fix Added at: Mar 02, 2026
Linux Severity MEDIUM No Fix Added at: Mar 03, 2026
Windows Severity MEDIUM No Fix Added at: Mar 03, 2026
## Get a CVE risk assessment
Get a prioritized view of CVEs in your cloud—so you can focus on what's exploitable, not j
Wiz
CVE-2026-25220 Impact, Exploitability, and Mitigation Steps | Wiz
blogs_wiz·CVSS 5.7
CVE-2026-25220 [MEDIUM] CVE-2026-25220 Impact, Exploitability, and Mitigation Steps | Wiz
## CVE-2026-25220 :
OpenEMR vulnerability analysis and mitigation
show_all=yes
getPnotesByUser()
show_all=yes
messages.php?show_all=yes
Source : NVD
## 5.7
Score
Published February 25, 2026
Severity MEDIUM
CNA Score 5.7
Affected Technologies
OpenEMR
Has Public Exploit Yes
Has CISA KEV Exploit No
CISA KEV Release Date N/A
CISA KEV Due Date N/A
Exploitation Probability Percentile (EPSS) 29.9
Exploitation Probability (EPSS) 0.1
Affected packages and libraries
cpe:2.3:a:open-emr:openemr
Sources
Linux Severity MEDIUM Has Fix Added at: Mar 02, 2026
Windows Severity MEDIUM Has Fix Added at: Mar 02, 2026
Linux Severity MEDIUM Has Fix Added at: Mar 03, 2026
Windows Severity MEDIUM Has Fix Added at: Mar 03, 2026
## Get a CVE risk assessment
Get a prioritized view of C
Wiz
CVE-2025-67645 Impact, Exploitability, and Mitigation Steps | Wiz
blogs_wiz·CVSS 8.8
CVE-2025-67645 [HIGH] CVE-2025-67645 Impact, Exploitability, and Mitigation Steps | Wiz
## CVE-2025-67645 :
OpenEMR vulnerability analysis and mitigation
OpenEMR is a free and open source electronic health records and medical practice management application. Versions prior to 7.0.4 have a broken access control in the Profile Edit endpoint. An authenticated normal user can modify the request parameters (pubpid / pid) to reference another user’s record; the server accepts the modified IDs and applies the changes to that other user’s profile. This allows one user to alter another user’s profile data (name, contact info, etc.), and could enable account takeover. Version 7.0.4 fixes the issue.
Source : NVD
## 8.8
Score
Published January 28, 2026
Severity HIGH
CNA Score 8.8
Affected Technologies
OpenEMR
Has Public Exploit Yes
Has CISA KEV Exploit No
CISA KEV Release
Wiz
CVE-2026-25146 Impact, Exploitability, and Mitigation Steps | Wiz
blogs_wiz·CVSS 9.6
CVE-2026-25146 [CRITICAL] CVE-2026-25146 Impact, Exploitability, and Mitigation Steps | Wiz
## CVE-2026-25146 :
OpenEMR vulnerability analysis and mitigation
OpenEMR is a free and open source electronic health records and medical practice management application. From 5.0.2 to before 8.0.0, there are (at least) two paths where the gateway_api_key secret value is rendered to the client in plaintext. These secret keys being leaked could result in arbitrary money movement or broad account takeover of payment gateway APIs. This vulnerability is fixed in 8.0.0.
Source : NVD
## 8.1
Score
Published March 3, 2026
Severity HIGH
CNA Score 9.6
Affected Technologies
OpenEMR
Has Public Exploit Yes
Has CISA KEV Exploit No
CISA KEV Release Date N/A
CISA KEV Due Date N/A
Exploitation Probability Percentile (EPSS) 17.2
Exploitation Probability (EPSS) 0.1
Affected packages and li
Wiz
CVE-2026-33346 Impact, Exploitability, and Mitigation Steps | Wiz
blogs_wiz·CVSS 8.7
CVE-2026-33346 [HIGH] CVE-2026-33346 Impact, Exploitability, and Mitigation Steps | Wiz
## CVE-2026-33346 :
OpenEMR vulnerability analysis and mitigation
portal/lib/paylib.php
portal/portal_payment.php
Source : NVD
## 8.7
Score
Published March 19, 2026
Severity HIGH
CNA Score 8.7
Affected Technologies
OpenEMR
Has Public Exploit Yes
Has CISA KEV Exploit No
CISA KEV Release Date N/A
CISA KEV Due Date N/A
Exploitation Probability Percentile (EPSS) 13.4
Exploitation Probability (EPSS) N/A
Affected packages and libraries
cpe:2.3:a:open-emr:openemr
Sources
Linux Severity HIGH Has Fix Added at: Mar 20, 2026
Windows Severity HIGH Has Fix Added at: Mar 20, 2026
Linux Severity HIGH Has Fix Added at: Mar 22, 2026
Windows Severity HIGH Has Fix Added at: Mar 22, 2026
## Get a CVE risk assessment
Get a prioritized view of CVEs in your cloud—so you can focus on
Wiz
CVE-2026-32122 Impact, Exploitability, and Mitigation Steps | Wiz
blogs_wiz·CVSS 4.3
CVE-2026-32122 [MEDIUM] CVE-2026-32122 Impact, Exploitability, and Mitigation Steps | Wiz
## CVE-2026-32122 :
OpenEMR vulnerability analysis and mitigation
OpenEMR is a free and open source electronic health records and medical practice management application. Prior to 8.0.0.1, the Claim File Tracker feature exposes an AJAX endpoint that returns billing claim metadata (claim IDs, payer info, transmission logs). The endpoint does not enforce the same ACL as the main billing/claims workflow, so authenticated users without appropriate billing permissions can access this data. This vulnerability is fixed in 8.0.0.1.
Source : NVD
## 4.3
Score
Published March 11, 2026
Severity MEDIUM
CNA Score 4.3
Affected Technologies
OpenEMR
Has Public Exploit Yes
Has CISA KEV Exploit No
CISA KEV Release Date N/A
CISA KEV Due Date N/A
Exploitation Probability Percentile (EPSS) 23.3
Wiz
CVE-2025-69231 Impact, Exploitability, and Mitigation Steps | Wiz
blogs_wiz·CVSS 8.7
CVE-2025-69231 [HIGH] CVE-2025-69231 Impact, Exploitability, and Mitigation Steps | Wiz
## CVE-2025-69231 :
OpenEMR vulnerability analysis and mitigation
OpenEMR is a free and open source electronic health records and medical practice management application. Prior to version 8.0.0, a stored cross-site scripting vulnerability in the GAD-7 anxiety assessment form allows authenticated users with clinician privileges to inject malicious JavaScript that executes when other users view the form. This enables session hijacking, account takeover, and privilege escalation from clinician to administrator. Version 8.0.0 fixes the issue.
Source : NVD
## 5.4
Score
Published February 25, 2026
Severity MEDIUM
CNA Score 8.7
Affected Technologies
OpenEMR
Has Public Exploit Yes
Has CISA KEV Exploit No
CISA KEV Release Date N/A
CISA KEV Due Date N/A
Exploitation Probability Perc
Wiz
CVE-2026-25745 Impact, Exploitability, and Mitigation Steps | Wiz
blogs_wiz·CVSS 6.5
CVE-2026-25745 [MEDIUM] CVE-2026-25745 Impact, Exploitability, and Mitigation Steps | Wiz
## CVE-2026-25745 :
OpenEMR vulnerability analysis and mitigation
OpenEMR is a free and open source electronic health records and medical practice management application. In versions up to and including 8.0.0, the message/note update endpoint (e.g. PUT or POST) updates by message/note ID only and does not verify that the message belongs to the current patient (or that the user is allowed to edit that patient’s notes). An authenticated user with notes permission can modify any patient’s messages by supplying another message ID. Commit 92a2ff9eaaa80674b3a934a6556e35e7aded5a41 contains a fix for the issue.
Source : NVD
## 6.5
Score
Published March 18, 2026
Severity MEDIUM
CNA Score 6.5
Affected Technologies
OpenEMR
Has Public Exploit Yes
Has CISA KEV Exploit No
CISA KEV Release
Wiz
CVE-2026-23627 Impact, Exploitability, and Mitigation Steps | Wiz
blogs_wiz·CVSS 7.4
CVE-2026-23627 [HIGH] CVE-2026-23627 Impact, Exploitability, and Mitigation Steps | Wiz
## CVE-2026-23627 :
OpenEMR vulnerability analysis and mitigation
patient_id
Source : NVD
## 7.4
Score
Published February 25, 2026
Severity HIGH
CNA Score 7.4
Affected Technologies
OpenEMR
Has Public Exploit Yes
Has CISA KEV Exploit No
CISA KEV Release Date N/A
CISA KEV Due Date N/A
Exploitation Probability Percentile (EPSS) 0.8
Exploitation Probability (EPSS) N/A
Affected packages and libraries
cpe:2.3:a:open-emr:openemr
Sources
Linux Severity HIGH Has Fix Added at: Mar 02, 2026
Windows Severity HIGH Has Fix Added at: Mar 02, 2026
Linux Severity HIGH Has Fix Added at: Mar 03, 2026
Windows Severity HIGH Has Fix Added at: Mar 03, 2026
## Get a CVE risk assessment
Get a prioritized view of CVEs in your cloud—so you can focus on what's exploitable, not just what's
Wiz
CVE-2026-25124 Impact, Exploitability, and Mitigation Steps | Wiz
blogs_wiz·CVSS 6.5
CVE-2026-25124 [MEDIUM] CVE-2026-25124 Impact, Exploitability, and Mitigation Steps | Wiz
## CVE-2026-25124 :
OpenEMR vulnerability analysis and mitigation
OpenEMR is a free and open source electronic health records and medical practice management application. Prior to version 8.0.0, the OpenEMR application is vulnerable to an access control flaw that allows low-privileged users, such as receptionists, to export the entire message list containing sensitive patient and user data. The vulnerability lies in the message_list.php report export functionality, where there is no permission check before executing sensitive database queries. The only control in place is CSRF token verification, which does not prevent unauthorized data access if the token is acquired through other means. Version 8.0.0 fixes the vulnerability.
Source : NVD
## 6.5
Score
Published February 25, 2026
Wiz
CVE-2025-67491 Impact, Exploitability, and Mitigation Steps | Wiz
blogs_wiz·CVSS 8.5
CVE-2025-67491 [HIGH] CVE-2025-67491 Impact, Exploitability, and Mitigation Steps | Wiz
## CVE-2025-67491 :
OpenEMR vulnerability analysis and mitigation
$data
json_encode
ac' >
Source : NVD
## 8.5
Score
Published February 25, 2026
Severity HIGH
CNA Score 8.5
Affected Technologies
OpenEMR
Has Public Exploit Yes
Has CISA KEV Exploit No
CISA KEV Release Date N/A
CISA KEV Due Date N/A
Exploitation Probability Percentile (EPSS) 40.9
Exploitation Probability (EPSS) 0.2
Affected packages and libraries
cpe:2.3:a:open-emr:openemr
Sources
Linux Severity MEDIUM Has Fix Added at: Mar 02, 2026
Windows Severity MEDIUM Has Fix Added at: Mar 02, 2026
Linux Severity MEDIUM Has Fix Added at: Mar 03, 2026
Windows Severity MEDIUM Has Fix Added at: Mar 03, 2026
## Get a CVE risk assessment
Get a prioritized view of CVEs in your cloud—so you can focus on what's expl
Wiz
CVE-2026-25928 Impact, Exploitability, and Mitigation Steps | Wiz
blogs_wiz·CVSS 6.5
CVE-2026-25928 [MEDIUM] CVE-2026-25928 Impact, Exploitability, and Mitigation Steps | Wiz
## CVE-2026-25928 :
OpenEMR vulnerability analysis and mitigation
../
Source : NVD
## 6.5
Score
Published March 19, 2026
Severity MEDIUM
CNA Score 6.5
Affected Technologies
OpenEMR
Has Public Exploit Yes
Has CISA KEV Exploit No
CISA KEV Release Date N/A
CISA KEV Due Date N/A
Exploitation Probability Percentile (EPSS) 5.1
Exploitation Probability (EPSS) N/A
Affected packages and libraries
cpe:2.3:a:open-emr:openemr
Sources
Linux Severity MEDIUM Has Fix Added at: Mar 20, 2026
Windows Severity MEDIUM Has Fix Added at: Mar 20, 2026
Linux Severity MEDIUM Has Fix Added at: Mar 22, 2026
Windows Severity MEDIUM Has Fix Added at: Mar 22, 2026
## Get a CVE risk assessment
Get a prioritized view of CVEs in your cloud—so you can focus on what's exploitable, not just what's
Wiz
CVE-2026-32120 Impact, Exploitability, and Mitigation Steps | Wiz
blogs_wiz·CVSS 6.5
CVE-2026-32120 [MEDIUM] CVE-2026-32120 Impact, Exploitability, and Mitigation Steps | Wiz
## CVE-2026-32120 :
OpenEMR vulnerability analysis and mitigation
library/FeeSheet.class.php
drug_sales
prod[][sale_id]
save()
sale_id
Source : NVD
## 6.3
Score
Published March 25, 2026
Severity MEDIUM
CNA Score 6.5
Affected Technologies
OpenEMR
Has Public Exploit Yes
Has CISA KEV Exploit No
CISA KEV Release Date N/A
CISA KEV Due Date N/A
Exploitation Probability Percentile (EPSS) 12.6
Exploitation Probability (EPSS) N/A
Affected packages and libraries
cpe:2.3:a:open-emr:openemr
Sources
Linux Severity MEDIUM Has Fix Added at: Mar 26, 2026
Windows Severity MEDIUM Has Fix Added at: Mar 26, 2026
Linux Severity MEDIUM Has Fix Added at: Mar 29, 2026
Windows Severity MEDIUM Has Fix Added at: Mar 29, 2026
## Get a CVE risk assessment
Get a prioritized view of CVEs
Wiz
CVE-2026-24849 Impact, Exploitability, and Mitigation Steps | Wiz
blogs_wiz·CVSS 9.9
CVE-2026-24849 [CRITICAL] CVE-2026-24849 Impact, Exploitability, and Mitigation Steps | Wiz
## CVE-2026-24849 :
OpenEMR vulnerability analysis and mitigation
disposeDocument()
EtherFaxActions.php
Source : NVD
## 6.5
Score
Published February 25, 2026
Severity MEDIUM
CNA Score 9.9
Affected Technologies
OpenEMR
Has Public Exploit Yes
Has CISA KEV Exploit No
CISA KEV Release Date N/A
CISA KEV Due Date N/A
Exploitation Probability Percentile (EPSS) 1.7
Exploitation Probability (EPSS) N/A
Affected packages and libraries
cpe:2.3:a:open-emr:openemr
Sources
Linux Severity MEDIUM Has Fix Added at: Mar 02, 2026
Windows Severity MEDIUM Has Fix Added at: Mar 02, 2026
Linux Severity MEDIUM Has Fix Added at: Mar 03, 2026
Windows Severity MEDIUM Has Fix Added at: Mar 03, 2026
## Get a CVE risk assessment
Get a prioritized view of CVEs in your cloud—so you can focus
Wiz
CVE-2026-24847 Impact, Exploitability, and Mitigation Steps | Wiz
blogs_wiz·CVSS 6.1
CVE-2026-24847 [MEDIUM] CVE-2026-24847 Impact, Exploitability, and Mitigation Steps | Wiz
## CVE-2026-24847 :
OpenEMR vulnerability analysis and mitigation
OpenEMR is a free and open source electronic health records and medical practice management application. Prior to version 8.0.0, the Eye Exam form module allows any authenticated user to be redirected to an arbitrary external URL. This can be exploited for phishing attacks against healthcare providers using OpenEMR. Version 8.0.0 fixes the issue.
Source : NVD
## 6.1
Score
Published February 25, 2026
Severity MEDIUM
CNA Score 6.1
Affected Technologies
OpenEMR
Has Public Exploit Yes
Has CISA KEV Exploit No
CISA KEV Release Date N/A
CISA KEV Due Date N/A
Exploitation Probability Percentile (EPSS) 28
Exploitation Probability (EPSS) 0.1
Affected packages and libraries
cpe:2.3:a:open-emr:openemr
Sources
Linux
Wiz
CVE-2026-33933 Impact, Exploitability, and Mitigation Steps | Wiz
blogs_wiz·CVSS 6.1
CVE-2026-33933 [MEDIUM] CVE-2026-33933 Impact, Exploitability, and Mitigation Steps | Wiz
## CVE-2026-33933 :
OpenEMR vulnerability analysis and mitigation
OpenEMR is a free and open source electronic health records and medical practice management application. Starting in version 7.0.2.1 and prior to version 8.0.0.3, a reflected cross-site scripting (XSS) vulnerability in the custom template editor allows an attacker to execute arbitrary JavaScript in an authenticated staff member's browser session by sending them a crafted URL. The attacker does not need an OpenEMR account. Version 8.0.0.3 patches the issue.
Source : NVD
## 6.1
Score
Published March 26, 2026
Severity MEDIUM
CNA Score 6.1
Affected Technologies
OpenEMR
Has Public Exploit Yes
Has CISA KEV Exploit No
CISA KEV Release Date N/A
CISA KEV Due Date N/A
Exploitation Probability Percentile (EPSS) 6.5
Ex
Wiz
CVE-2026-33910 Impact, Exploitability, and Mitigation Steps | Wiz
blogs_wiz·CVSS 7.2
CVE-2026-33910 [HIGH] CVE-2026-33910 Impact, Exploitability, and Mitigation Steps | Wiz
## CVE-2026-33910 :
OpenEMR vulnerability analysis and mitigation
OpenEMR is a free and open source electronic health records and medical practice management application. Versions up to and including 8.0.0.2 contain a SQL injection vulnerability in the patient selection feature that can be exploited by authenticated attackers. The vulnerability exists due to insufficient input validation in the patient selection feature. Version 8.0.0.3 contains a patch.
Source : NVD
## 8.8
Score
Published March 25, 2026
Severity HIGH
CNA Score 7.2
Affected Technologies
OpenEMR
Has Public Exploit Yes
Has CISA KEV Exploit No
CISA KEV Release Date N/A
CISA KEV Due Date N/A
Exploitation Probability Percentile (EPSS) N/A
Exploitation Probability (EPSS) N/A
Affected packages and libraries
cp
Wiz
CVE-2026-24896 Impact, Exploitability, and Mitigation Steps | Wiz
blogs_wiz·CVSS 6.5
CVE-2026-24896 [MEDIUM] CVE-2026-24896 Impact, Exploitability, and Mitigation Steps | Wiz
## CVE-2026-24896 :
OpenEMR vulnerability analysis and mitigation
OpenEMR is a free and open source electronic health records and medical practice management application. Prior to version 8.0.0, a Broken Access Control vulnerability exists in OpenEMR’s edih_main.php endpoint, which allows any authenticated user—including low-privilege roles like Receptionist—to access EDI log files by manipulating the log_select parameter in a GET request. The back-end fails to enforce role-based access control (RBAC), allowing sensitive system logs to be accessed outside the GUI-enforced permission boundaries. Version 8.0.0 fixes the issue.
Source : NVD
## 6.5
Score
Published February 25, 2026
Severity MEDIUM
CNA Score 6.5
Affected Technologies
OpenEMR
Has Public Exploit Yes
Has CISA KEV Exp
Wiz
CVE-2026-33917 Impact, Exploitability, and Mitigation Steps | Wiz
blogs_wiz·CVSS 8.8
CVE-2026-33917 [HIGH] CVE-2026-33917 Impact, Exploitability, and Mitigation Steps | Wiz
## CVE-2026-33917 :
OpenEMR vulnerability analysis and mitigation
OpenEMR is a free and open source electronic health records and medical practice management application. Versions prior to 8.0.0.3 contais a SQL injection vulnerability in the ajax_save CAMOS form that can be exploited by authenticated attackers. The vulnerability exists due to insufficient input validation in the ajax_save page in the CAMOS form. Version 8.0.0.3 patches the issue.
Source : NVD
## 8.8
Score
Published March 26, 2026
Severity HIGH
CNA Score 8.8
Affected Technologies
OpenEMR
Has Public Exploit Yes
Has CISA KEV Exploit No
CISA KEV Release Date N/A
CISA KEV Due Date N/A
Exploitation Probability Percentile (EPSS) N/A
Exploitation Probability (EPSS) N/A
Affected packages and libraries
cpe:2.3:a:
Wiz
CVE-2026-25930 Impact, Exploitability, and Mitigation Steps | Wiz
blogs_wiz·CVSS 6.5
CVE-2026-25930 [MEDIUM] CVE-2026-25930 Impact, Exploitability, and Mitigation Steps | Wiz
## CVE-2026-25930 :
OpenEMR vulnerability analysis and mitigation
formid
visitid
patientid
Source : NVD
## 6.5
Score
Published February 25, 2026
Severity MEDIUM
CNA Score 6.5
Affected Technologies
OpenEMR
Has Public Exploit Yes
Has CISA KEV Exploit No
CISA KEV Release Date N/A
CISA KEV Due Date N/A
Exploitation Probability Percentile (EPSS) 29.9
Exploitation Probability (EPSS) 0.1
Affected packages and libraries
cpe:2.3:a:open-emr:openemr
Sources
Linux Severity MEDIUM Has Fix Added at: Mar 02, 2026
Windows Severity MEDIUM Has Fix Added at: Mar 02, 2026
Linux Severity MEDIUM Has Fix Added at: Mar 03, 2026
Windows Severity MEDIUM Has Fix Added at: Mar 03, 2026
## Get a CVE risk assessment
Get a prioritized view of CVEs in your cloud—so you can focus on what's e
2026-03-26
Published