CVE-2026-25744— OpenEMR 安全漏洞
新しい脆弱性情報の通知を購読するログインして購読
I. CVE-2026-25744の基本情報
脆弱性情報
脆弱性についてご質問がありますか?Shenlongの分析が参考になるかご確認ください!
Shenlongの10の質問を表示 ↗ 高度な大規模言語モデル技術を使用していますが、出力には不正確または古い情報が含まれる可能性があります。Shenlongはデータの正確性を確保するよう努めていますが、実際の状況に基づいて検証・判断してください。
脆弱性タイトル
OpenEMR: POST /api/.../vital Accepts Attacker-Supplied id and Overwrites Arbitrary Vitals
ソース: NVD (National Vulnerability Database)
脆弱性説明
OpenEMR is a free and open source electronic health records and medical practice management application. Prior to 8.0.0.2, the encounter vitals API accepts an `id` in the request body and treats it as an UPDATE. There is no verification that the vital belongs to the current patient or encounter. An authenticated user with encounters/notes permission can overwrite any patient's vitals by supplying another patient's vital `id`, leading to medical record tampering. Version 8.0.0.2 fixes the issue.
ソース: NVD (National Vulnerability Database)
CVSS情報
CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:H/A:N
ソース: NVD (National Vulnerability Database)
脆弱性タイプ
通过用户控制密钥绕过授权机制
ソース: NVD (National Vulnerability Database)
脆弱性タイトル
OpenEMR 安全漏洞
ソース: CNNVD (China National Vulnerability Database)
脆弱性説明
OpenEMR是OpenEMR社区的一套开源的医疗管理系统。该系统可用于医疗实践管理、电子医疗记录、处方书写和医疗帐单申请。 OpenEMR 8.0.0.2之前版本存在安全漏洞,该漏洞源于encounter vitals API未验证生命体征是否属于当前患者或遭遇,可能导致经过身份验证的用户篡改医疗记录。
ソース: CNNVD (China National Vulnerability Database)
CVSS情報
N/A
ソース: CNNVD (China National Vulnerability Database)
脆弱性タイプ
N/A
ソース: CNNVD (China National Vulnerability Database)
影響を受ける製品
II. CVE-2026-25744の公開POC
| # | POC説明 | ソースリンク | Shenlongリンク |
|---|
AI生成POCプレミアム
公開POCは見つかりませんでした。
ログインしてAI POCを生成III. CVE-2026-25744のインテリジェンス情報
请登录查看更多情报信息。
- Merge commit from fork · openemr/openemr@c3a47c3 · GitHubx_refsource_MISC
- https://nvd.nist.gov/vuln/detail/CVE-2026-25744
Same Patch Batch · openemr · 2026-03-19 · 12 CVEs total
| CVE-2026-32238 | 9.1 CRITICAL | OpenEMR has Remote Code Execution in backup functionality |
| CVE-2026-33346 | 8.7 HIGH | OpenEMR has stored XSS in portal_payment.php via Unescaped table_args |
| CVE-2026-25928 | 6.5 MEDIUM | OpenEMR Vulnerable to Path Traversal When Zipping DICOM Folders |
| CVE-2026-33304 | 6.5 MEDIUM | OpenEMR has Authorization Bypass in Dated Reminders Log |
| CVE-2026-33305 | 5.4 MEDIUM | OpenEMR has Authorization Bypass in FaxSMS AppDispatch Constructor |
| CVE-2026-33303 | 5.4 MEDIUM | OpenEMR Vulnerable to Stored XSS via Unescaped portal_login_username in Credential Print V |
| CVE-2026-32119 | 4.4 MEDIUM | OpenEMR has Stored DOM XSS via SearchHighlight text-node reconstruction on Custom Report p |
| CVE-2026-33301 | OpenEMR has arbitrary image file read via PDF generator | |
| CVE-2026-33321 | OpenEMR has Out-of-Band Server-Side Request Forgery (OOB SSRF) | |
| CVE-2026-33299 | OpenEMR has Stored XSS in patient encounter Eye Exam form answers | |
| CVE-2026-33302 | OpenEMR: zhAclCheck Ignores Explicit ACL Denies |
IV. 関連脆弱性
同じ製品: openemr
- CVE-2023-54347
OpenEMR 7.0.1 Authentication Brute Force Mitigation Bypass - CVE-2026-34056
OpenEMR has a Privilege Escalation that Allows a Low-Level U - CVE-2026-34055
OpenEMR has IDOR in Patient Notes Web UI allows unauthorized - CVE-2026-34053
OpenEMR Missing Authorization in Procedure Order AJAX Deleti - CVE-2026-34051
OpenEMR has Improper ACL On Import/Export Popup
同じベンダー: openemr
- CVE-2026-34056
OpenEMR has a Privilege Escalation that Allows a Low-Level U - CVE-2026-34055
OpenEMR has IDOR in Patient Notes Web UI allows unauthorized - CVE-2026-34053
OpenEMR Missing Authorization in Procedure Order AJAX Deleti - CVE-2026-34051
OpenEMR has Improper ACL On Import/Export Popup - CVE-2026-33934
OpenEMR's Missing Authorization in show-signature.php Allows
同じ弱点: CWE-639
- CVE-2026-8196
JeecgBoot mLogin Endpoint LoginController.java authorization - CVE-2026-42291
SysReptor: Read-write access to personal notes by sharing-li - CVE-2026-44400
MailEnable Enterprise Premium < 10.55 Authorization Bypass v - CVE-2026-42279
solidtime: Time entry update endpoint allows cross-organizat - CVE-2026-42277
Onyx: IDOR in /chat/file/{file_id} allows any authenticated
V. CVE-2026-25744へのコメント
まだコメントはありません