Goal Reached Thanks to every supporter — we hit 100%!

Goal: 1000 CNY · Raised: 1000 CNY

100.0%
Buy Us a Coffee

OpenEMR — Vulnerabilities & Security Advisories 120

Browse all 120 CVE security advisories affecting OpenEMR. AI-powered Chinese analysis, POCs, and references for each vulnerability.

OpenEMR is an open-source electronic health record and medical practice management application designed to facilitate patient data management and clinical workflows. Historically, its codebase has exhibited significant security flaws, with over 120 Common Vulnerabilities and Exposures (CVEs) recorded. These vulnerabilities predominantly involve remote code execution, cross-site scripting, and privilege escalation, often stemming from insufficient input validation and improper access controls within the PHP-based architecture. Notable incidents include critical flaws allowing unauthenticated attackers to execute arbitrary commands or bypass authentication mechanisms, exposing sensitive patient information. The high volume of historical CVEs reflects challenges in maintaining rigorous security standards across a large, community-driven codebase. While recent updates have addressed many issues, the application’s complexity and extensive feature set continue to present attack surfaces that require diligent patching and configuration hardening to mitigate risks associated with data breaches and unauthorized system access.

Top products by OpenEMR: OpenEMR openemr/openemr
CVE IDTitleCVSSSeverityPublished
CVE-2026-25131 OpenEMR has Broken Access Control in Procedures Configuration — openemrCWE-862 8.8 High2026-02-25
CVE-2026-25127 OpenEMR has Broken Access Control on Care Coordination Module — openemrCWE-863 3.5 -2026-02-25
CVE-2026-25124 OpenEMR has Broken Access Control in Report/Clients/Message List CSV Export — openemrCWE-862 6.5 Medium2026-02-25
CVE-2026-24896 OpenEMR has Broken Access Control that allows unauthorized access to EDI Logs — openemrCWE-284 6.5 Medium2026-02-25
CVE-2026-24849 OpenEMR Arbitrary File Read Vulnerability — openemrCWE-22 10.0 Critical2026-02-25
CVE-2026-24847 OpenEMR has Open Redirect in Eye Exam Form — openemrCWE-601 6.1 Medium2026-02-25
CVE-2026-21443 OpenEMR allows inconsistent escaping of translation function output — openemrCWE-116 6.1 -2026-02-25
CVE-2025-69231 OpenEMR has a Stored XSS in GAD-7 Form that Enables Session Hijacking and Privilege Escalation — openemrCWE-79 8.7 High2026-02-25
CVE-2025-68277 OpenEMR allows links sent via Secure Messaging to be opened in OpenEMR and Portal — openemrCWE-451 6.1 -2026-02-25
CVE-2025-67752 OpenEMR Has Disabled SSL Certificate Verification in HTTP Client — openemrCWE-295 8.1 High2026-02-25
CVE-2025-67491 OpenEMR has Stored XSS in ub04 helper — openemrCWE-79 5.4 -2026-02-25
CVE-2025-67645 OpenEMR Vulnerable to Broken Access Control in Profile Edit Endpoint — openemrCWE-284 8.8 High2026-01-27
CVE-2025-54373 OpenEMR may expose Contents of Clinical Notes and Care Planto users who do not have Sensitivities=high privilege — openemrCWE-200 5.4AIMediumAI2026-01-27
CVE-2025-43860 OpemEMR Vulnerable to Stored XSS Attack in the Additional Address Section of Patient Demographics — openemrCWE-79 7.6 High2025-05-23
CVE-2025-32967 OpenEMR doesn't log password administration properly — openemrCWE-778 5.4 Medium2025-05-23
CVE-2025-32794 OpenEMR Stored XSS via Patient Name Field in Procedure Orders — openemrCWE-79 7.6 High2025-05-23
CVE-2025-31121 OpenEMR allows XSS in Patient Image feature — openemrCWE-79 5.4AIMediumAI2025-04-01
CVE-2025-31117 OpenEMR Out-of-Band Server-Side Request Forgery (OOB SSRF) Vulnerability — openemrCWE-918 7.5 -2025-03-31
CVE-2025-30161 OpenEMR Stored XSS in OpenEMR Bronchitis Form — openemrCWE-80 5.4 -2025-03-31
CVE-2025-30149 OpenEMR Reflected XSS in AJAX Script — openemrCWE-79 6.4 Medium2025-03-31
CVE-2025-29772 OpenEMR allows Reflected XSS in CAMOS new.php — openemrCWE-79 6.1 -2025-03-31
CVE-2025-29789 OpenEMR Has Directory Traversal in Load Code feature — openemrCWE-23 6.5AIMediumAI2025-03-25
CVE-2024-0875 Stored XSS in openemr/openemr — openemr/openemrCWE-79 5.4AIMediumAI2024-11-15
CVE-2023-2950 Improper Authorization in openemr/openemr — openemr/openemrCWE-285 7.1 -2023-05-28
CVE-2023-2949 Cross-site Scripting (XSS) - Reflected in openemr/openemr — openemr/openemrCWE-79 6.1 -2023-05-28
CVE-2023-2948 Cross-site Scripting (XSS) - Generic in openemr/openemr — openemr/openemrCWE-79 5.4 -2023-05-28
CVE-2023-2947 Cross-site Scripting (XSS) - Stored in openemr/openemr — openemr/openemrCWE-79 5.4 -2023-05-27
CVE-2023-2946 Improper Access Control in openemr/openemr — openemr/openemrCWE-284 5.4 -2023-05-27
CVE-2023-2945 Missing Authorization in openemr/openemr — openemr/openemrCWE-862 6.5 -2023-05-27
CVE-2023-2944 Improper Access Control in openemr/openemr — openemr/openemrCWE-284 5.4 -2023-05-27

This page lists every published CVE security advisory associated with OpenEMR. Each entry links to a detailed page with CVSS scoring, CWE classification, affected products and references. AI-generated Chinese analysis is provided for fast triage.