Open-Emr Openemr vulnerabilities
216 known vulnerabilities affecting open-emr/openemr.
Total CVEs
216
CISA KEV
0
Public exploits
20
Exploited in wild
0
Severity breakdown
CRITICAL14HIGH80MEDIUM120LOW2
Vulnerabilities
Page 11 of 11
CVE-2023-22972P4MEDIUMCVSS 5.4fixed in 7.0.02023-02-22
CVE-2023-22972 [MEDIUM] CWE-79 CVE-2023-22972: A Reflected Cross-site scripting (XSS) vulnerability in interface/forms/eye_mag/php/eye_mag_function
A Reflected Cross-site scripting (XSS) vulnerability in interface/forms/eye_mag/php/eye_mag_functions.php in OpenEMR < 7.0.0 allows remote authenticated users to inject arbitrary web script or HTML via the REQUEST_URI.
nvd
CVE-2026-25743P4MEDIUMCVSS 4.8fixed in 8.0.02026-02-25
CVE-2026-25743 [MEDIUM] CWE-79 CVE-2026-25743: OpenEMR is a free and open source electronic health records and medical practice management applicat
OpenEMR is a free and open source electronic health records and medical practice management application. Prior to version 8.0.0, users with the "Forms administration" role can fill questionnaires ("forms") in patient encounters. The answers to the forms are displayed on the encounter page and in the visit history for the users with the same role. The
nvd
CVE-2022-25041P4MEDIUMCVSS 4.3v6.0.02022-03-23
CVE-2022-25041 [MEDIUM] CWE-668 CVE-2022-25041: OpenEMR v6.0.0 was discovered to contain an incorrect access control issue.
OpenEMR v6.0.0 was discovered to contain an incorrect access control issue.
nvd
CVE-2026-25135P4MEDIUMCVSS 4.5fixed in 8.0.02026-02-25
CVE-2026-25135 [MEDIUM] CWE-200 CVE-2026-25135: OpenEMR is a free and open source electronic health records and medical practice management applicat
OpenEMR is a free and open source electronic health records and medical practice management application. Versions prior to 8.0.0 have an information disclosure vulnerability that leaks the entire contact information for all users, organizations, and patients in the system to anyone who has the system/(Group,Patient,*).$export operation and system/Lo
nvd
CVE-2022-4505P4MEDIUMCVSS 4.3fixed in 7.0.0.22022-12-15
CVE-2022-4505 [MEDIUM] CWE-639 CVE-2022-4505: Authorization Bypass Through User-Controlled Key in GitHub repository openemr/openemr prior to 7.0.0
Authorization Bypass Through User-Controlled Key in GitHub repository openemr/openemr prior to 7.0.0.2.
nvd
CVE-2025-68277P4MEDIUMCVSS 5.0fixed in 7.0.42026-02-25
CVE-2025-68277 [MEDIUM] CWE-451 CVE-2025-68277: OpenEMR is a free and open source electronic health records and medical practice management applicat
OpenEMR is a free and open source electronic health records and medical practice management application. Prior to version 7.0.4, when a link is sent via Secure Messaging, clicking the link opens the website within the OpenEMR/Portal site. This behavior could be exploited for phishing. Version 7.0.4 patches the issue.
nvd
CVE-2024-0875P4MEDIUMCVSS 4.8v7.0.12024-11-15
CVE-2024-0875 [MEDIUM] CWE-79 CVE-2024-0875: A stored cross-site scripting (XSS) vulnerability exists in openemr/openemr version 7.0.1. An attack
A stored cross-site scripting (XSS) vulnerability exists in openemr/openemr version 7.0.1. An attacker can inject malicious payloads into the 'inputBody' field in the Secure Messaging feature, which can then be sent to other users. When the recipient views the malicious message, the payload is executed, potentially compromising their account. This issu
nvd
CVE-2021-25918P4MEDIUMCVSS 4.8≥ 5.0.2, ≤ 6.0.0v5.0.2, 5.0.2.1, 5.0.2.2, 5.0.2.3, 5.0.2.4, 6.0.02021-03-22
CVE-2021-25918 [MEDIUM] CWE-79 CVE-2021-25918: In OpenEMR, versions 5.0.2 to 6.0.0 are vulnerable to Stored Cross-Site-Scripting (XSS) due to user
In OpenEMR, versions 5.0.2 to 6.0.0 are vulnerable to Stored Cross-Site-Scripting (XSS) due to user input not being validated properly and rendered in the TOTP Authentication method page. A highly privileged attacker could inject arbitrary code into input fields when creating a new user.
nvd
CVE-2021-25917P4MEDIUMCVSS 4.8≥ 5.0.2, ≤ 6.0.0v5.0.2, 5.0.2.1, 5.0.2.2, 5.0.2.3, 5.0.2.4, 6.0.02021-03-22
CVE-2021-25917 [MEDIUM] CWE-79 CVE-2021-25917: In OpenEMR, versions 5.0.2 to 6.0.0 are vulnerable to Stored Cross-Site-Scripting (XSS) due to user
In OpenEMR, versions 5.0.2 to 6.0.0 are vulnerable to Stored Cross-Site-Scripting (XSS) due to user input not being validated properly and rendered in the U2F USB Device authentication method page. A highly privileged attacker could inject arbitrary code into input fields when creating a new user.
nvd
CVE-2022-4733P4MEDIUMCVSS 4.8fixed in 7.0.0.22022-12-27
CVE-2022-4733 [MEDIUM] CWE-79 CVE-2022-4733: Cross-site Scripting (XSS) - Stored in GitHub repository openemr/openemr prior to 7.0.0.2.
Cross-site Scripting (XSS) - Stored in GitHub repository openemr/openemr prior to 7.0.0.2.
nvd
CVE-2023-2566P4MEDIUMCVSS 4.8fixed in 7.0.12023-05-08
CVE-2023-2566 [MEDIUM] CWE-79 CVE-2023-2566: Cross-site Scripting (XSS) - Stored in GitHub repository openemr/openemr prior to 7.0.1.
Cross-site Scripting (XSS) - Stored in GitHub repository openemr/openemr prior to 7.0.1.
nvd
CVE-2025-30149P4MEDIUMCVSS 4.6fixed in 7.0.32025-03-31
CVE-2025-30149 [MEDIUM] CWE-79 CVE-2025-30149: OpenEMR is a free and open source electronic health records and medical practice management applicat
OpenEMR is a free and open source electronic health records and medical practice management application. OpenEMR allows reflected cross-site scripting (XSS) in the AJAX Script interface\super\layout_listitems_ajax.php via the target parameter. This vulnerability is fixed in 7.0.3.
nvd
CVE-2022-1177P4MEDIUMCVSS 4.3fixed in 6.1.02022-03-30
CVE-2022-1177 [MEDIUM] CWE-1220 CVE-2022-1177: Accounting User Can Download Patient Reports in openemr in GitHub repository openemr/openemr prior t
Accounting User Can Download Patient Reports in openemr in GitHub repository openemr/openemr prior to 6.1.0.
nvd
CVE-2021-32103P4MEDIUMCVSS 4.8≤ 5.0.2.12021-05-07
CVE-2021-32103 [MEDIUM] CWE-79 CVE-2021-32103: A Stored XSS vulnerability in interface/usergroup/usergroup_admin.php in OpenEMR before 5.0.2.1 allo
A Stored XSS vulnerability in interface/usergroup/usergroup_admin.php in OpenEMR before 5.0.2.1 allows a admin authenticated user to inject arbitrary web script or HTML via the lname parameter.
nvd
CVE-2024-26476P4LOWCVSS 3.5fixed in 7.0.22024-02-28
CVE-2024-26476 [LOW] CWE-918 CVE-2024-26476: An issue in open-emr before v.7.0.2 allows a remote attacker to escalate privileges via a crafted sc
An issue in open-emr before v.7.0.2 allows a remote attacker to escalate privileges via a crafted script to the formid parameter in the ereq_form.php component.
nvd
CVE-2022-1180P4LOWCVSS 3.5fixed in 6.0.0.42022-03-30
CVE-2022-1180 [LOW] CWE-79 CVE-2022-1180: Reflected Cross Site Scripting in GitHub repository openemr/openemr prior to 6.0.0.4.
Reflected Cross Site Scripting in GitHub repository openemr/openemr prior to 6.0.0.4.
nvd
← Previous11 / 11