Open-Emr Openemr vulnerabilities
216 known vulnerabilities affecting open-emr/openemr.
Total CVEs
216
CISA KEV
0
Public exploits
20
Exploited in wild
0
Severity breakdown
CRITICAL14HIGH80MEDIUM120LOW2
Vulnerabilities
Page 10 of 11
CVE-2026-33303P4MEDIUMCVSS 5.4fixed in 8.0.0.22026-03-19
CVE-2026-33303 [MEDIUM] CWE-79 CVE-2026-33303: OpenEMR is a free and open source electronic health records and medical practice management applicat
OpenEMR is a free and open source electronic health records and medical practice management application. Versions prior to 8.0.0.2 are vulnerable to stored cross-site scripting (XSS) via unescaped `portal_login_username` in the portal credential print view. A patient portal user can set their login username to an XSS payload, which then executes in a
nvd
CVE-2019-3965P4MEDIUMCVSS 6.1≤ 5.0.1v5.0.1 and earlier2019-08-20
CVE-2019-3965 [MEDIUM] CWE-79 CVE-2019-3965: In OpenEMR 5.0.1 and earlier, controller.php contains a reflected XSS vulnerability in the document_
In OpenEMR 5.0.1 and earlier, controller.php contains a reflected XSS vulnerability in the document_id parameter. This could allow an attacker to execute arbitrary code in the context of a user's session.
nvd
CVE-2019-3966P4MEDIUMCVSS 6.1≤ 5.0.1v5.0.1 and earlier2019-08-20
CVE-2019-3966 [MEDIUM] CWE-79 CVE-2019-3966: In OpenEMR 5.0.1 and earlier, controller.php contains a reflected XSS vulnerability in the foreign_i
In OpenEMR 5.0.1 and earlier, controller.php contains a reflected XSS vulnerability in the foreign_id parameter. This could allow an attacker to execute arbitrary code in the context of a user's session.
nvd
CVE-2022-4503P4MEDIUMCVSS 6.1fixed in 7.0.0.22022-12-15
CVE-2022-4503 [MEDIUM] CWE-79 CVE-2022-4503: Cross-site Scripting (XSS) - Generic in GitHub repository openemr/openemr prior to 7.0.0.2.
Cross-site Scripting (XSS) - Generic in GitHub repository openemr/openemr prior to 7.0.0.2.
nvd
CVE-2022-2731P4MEDIUMCVSS 6.1fixed in 7.0.0.12022-08-09
CVE-2022-2731 [MEDIUM] CWE-79 CVE-2022-2731: Cross-site Scripting (XSS) - Reflected in GitHub repository openemr/openemr prior to 7.0.0.1.
Cross-site Scripting (XSS) - Reflected in GitHub repository openemr/openemr prior to 7.0.0.1.
nvd
CVE-2025-29772P4MEDIUMCVSS 6.1fixed in 7.0.32025-03-31
CVE-2025-29772 [MEDIUM] CWE-79 CVE-2025-29772: OpenEMR is a free and open source electronic health records and medical practice management applicat
OpenEMR is a free and open source electronic health records and medical practice management application. The POST parameter hidden_subcategory is output to the page without being properly processed. This leads to a reflected cross-site scripting (XSS) vul;nerability in CAMOS new.php. This vulnerability is fixed in 7.0.3.
nvd
CVE-2022-2494P4MEDIUMCVSS 5.4fixed in 7.0.02022-07-22
CVE-2022-2494 [MEDIUM] CWE-79 CVE-2022-2494: Cross-site Scripting (XSS) - Stored in GitHub repository openemr/openemr prior to 7.0.0.
Cross-site Scripting (XSS) - Stored in GitHub repository openemr/openemr prior to 7.0.0.
nvd
CVE-2022-2729P4MEDIUMCVSS 5.4fixed in 7.0.0.12022-08-09
CVE-2022-2729 [MEDIUM] CWE-79 CVE-2022-2729: Cross-site Scripting (XSS) - DOM in GitHub repository openemr/openemr prior to 7.0.0.1.
Cross-site Scripting (XSS) - DOM in GitHub repository openemr/openemr prior to 7.0.0.1.
nvd
CVE-2021-25922P4MEDIUMCVSS 6.1≥ 4.2.0, ≤ 6.0.0v4.2.0, 4.2.0.3, 4.2.1, 4.2.2, 5.0.0, 5.0.0.5, 5.0.0.6, 5.0.1, 5.0.1.1, 5.0.1.2, 5.0.1.3, 5.0.1.4, 5.0.1.5, 5.0.1.6, 5.0.1.7, 5.0.2, 5.0.2.1, 5.0.2.2, 5.0.2.3, 5.0.2.4, 6.0.02021-03-22
CVE-2021-25922 [MEDIUM] CWE-79 CVE-2021-25922: In OpenEMR, versions 4.2.0 to 6.0.0 are vulnerable to Reflected Cross-Site-Scripting (XSS) due to us
In OpenEMR, versions 4.2.0 to 6.0.0 are vulnerable to Reflected Cross-Site-Scripting (XSS) due to user input not being validated properly. An attacker could trick a user to click on a malicious url and execute malicious code.
nvd
CVE-2019-17409P4MEDIUMCVSS 6.1≥ 5.0.1, < 5.0.2.12019-10-21
CVE-2019-17409 [MEDIUM] CWE-79 CVE-2019-17409: Reflected XSS exists in interface/forms/eye_mag/view.php in OpenEMR 5.x before 5.0.2.1 ia the id par
Reflected XSS exists in interface/forms/eye_mag/view.php in OpenEMR 5.x before 5.0.2.1 ia the id parameter.
nvd
CVE-2022-1458P4MEDIUMCVSS 5.4fixed in 6.1.0.12022-04-25
CVE-2022-1458 [MEDIUM] CWE-79 CVE-2022-1458: Stored XSS Leads To Session Hijacking in GitHub repository openemr/openemr prior to 6.1.0.1.
Stored XSS Leads To Session Hijacking in GitHub repository openemr/openemr prior to 6.1.0.1.
nvd
CVE-2026-32122P4MEDIUMCVSS 4.3fixed in 8.0.0.12026-03-11
CVE-2026-32122 [MEDIUM] CWE-862 CVE-2026-32122: OpenEMR is a free and open source electronic health records and medical practice management applicat
OpenEMR is a free and open source electronic health records and medical practice management application. Prior to 8.0.0.1, the Claim File Tracker feature exposes an AJAX endpoint that returns billing claim metadata (claim IDs, payer info, transmission logs). The endpoint does not enforce the same ACL as the main billing/claims workflow, so authentic
nvd
CVE-2019-17179P4MEDIUMCVSS 6.1≤ 5.0.22019-10-04
CVE-2019-17179 [MEDIUM] CWE-79 CVE-2019-17179: 4.1.0, 4.1.1, 4.1.2, 4.1.2.3, 4.1.2.6, 4.1.2.7, 4.2.0, 4.2.1, 4.2.2, 5.0.0, 5.0.0.5, 5.0.0.6, 5.0.1,
4.1.0, 4.1.1, 4.1.2, 4.1.2.3, 4.1.2.6, 4.1.2.7, 4.2.0, 4.2.1, 4.2.2, 5.0.0, 5.0.0.5, 5.0.0.6, 5.0.1, 5.0.1.1, 5.0.1.2, 5.0.1.3, 5.0.1.4, 5.0.1.5, 5.0.1.6, 5.0.1.7, 5.0.2, fixed in version 5.0.2.1
nvd
CVE-2022-2734P4MEDIUMCVSS 5.4fixed in 7.0.0.12022-08-09
CVE-2022-2734 [MEDIUM] CWE-1021 CVE-2022-2734: Improper Restriction of Rendered UI Layers or Frames in GitHub repository openemr/openemr prior to 7
Improper Restriction of Rendered UI Layers or Frames in GitHub repository openemr/openemr prior to 7.0.0.1.
nvd
CVE-2023-2674P4MEDIUMCVSS 4.3fixed in 7.0.12023-05-12
CVE-2023-2674 [MEDIUM] CWE-284 CVE-2023-2674: Improper Access Control in GitHub repository openemr/openemr prior to 7.0.1.
Improper Access Control in GitHub repository openemr/openemr prior to 7.0.1.
nvd
CVE-2026-32119P4MEDIUMCVSS 4.4fixed in 8.0.0.22026-03-19
CVE-2026-32119 [MEDIUM] CWE-79 CVE-2026-32119: OpenEMR is a free and open source electronic health records and medical practice management applicat
OpenEMR is a free and open source electronic health records and medical practice management application. Prior to 8.0.0.2, DOM-based stored XSS in the jQuery SearchHighlight plugin (`library/js/SearchHighlight.js`) allows an authenticated user with encounter form write access to inject arbitrary JavaScript that executes in another clinician's browser
nvd
CVE-2018-1000020P4MEDIUMCVSS 6.1v5.0.02018-02-09
CVE-2018-1000020 [MEDIUM] CWE-79 CVE-2018-1000020: OpenEMR version 5.0.0 contains a Cross Site Scripting (XSS) vulnerability in open-flash-chart.swf an
OpenEMR version 5.0.0 contains a Cross Site Scripting (XSS) vulnerability in open-flash-chart.swf and _posteddata.php that can result in . This vulnerability appears to have been fixed in 5.0.0 Patch 2 or higher.
nvd
CVE-2018-1000219P4MEDIUMCVSS 5.4v5.0.1.42018-08-20
CVE-2018-1000219 [MEDIUM] CWE-79 CVE-2018-1000219: OpenEMR version v5_0_1_4 contains a Cross Site Scripting (XSS) vulnerability in The 'scan' parameter
OpenEMR version v5_0_1_4 contains a Cross Site Scripting (XSS) vulnerability in The 'scan' parameter in line #41 of interface/fax/fax_view.php that can result in The vulnerability could allow remote authenticated attackers to inject arbitrary web script or HTML.. This attack appear to be exploitable via The victim must visit on a specially crafte
nvd
CVE-2018-1000218P4MEDIUMCVSS 5.4v5.0.1.42018-08-20
CVE-2018-1000218 [MEDIUM] CWE-79 CVE-2018-1000218: OpenEMR version v5_0_1_4 contains a Cross Site Scripting (XSS) vulnerability in The 'file' parameter
OpenEMR version v5_0_1_4 contains a Cross Site Scripting (XSS) vulnerability in The 'file' parameter in line #43 of interface/fax/fax_view.php that can result in The vulnerability could allow remote authenticated attackers to inject arbitrary web script or HTML.. This attack appear to be exploitable via The victim must visit on a specially crafte
nvd
CVE-2017-1000240P4MEDIUMCVSS 5.4≤ 5.0.02017-11-17
CVE-2017-1000240 [MEDIUM] CWE-79 CVE-2017-1000240: The application OpenEMR is affected by multiple reflected & stored Cross-Site Scripting (XSS) vulner
The application OpenEMR is affected by multiple reflected & stored Cross-Site Scripting (XSS) vulnerabilities affecting version 5.0.0 and prior versions. These vulnerabilities could allow remote authenticated attackers to inject arbitrary web script or HTML.
nvd