Every CVE whose affected-product data names Open-emr Openemr, ordered by CVSS severity, with EPSS exploit prediction and CISA KEV status.
CVEs (200)
CVE-2026-24898 — CVSS 10.0 (critical): OpenEMR is a free and open source electronic health records and medical practice management application. Prior to 8.0.0, an unauthenticated…
CVE-2026-24849 — CVSS 9.9 (critical): OpenEMR is a free and open source electronic health records and medical practice management application. Prior to version 7.0.4, the…
CVE-2026-24908 — CVSS 9.9 (critical): OpenEMR is a free and open source electronic health records and medical practice management application. Prior to version 8.0.0, an SQL…
CVE-2026-24848 — CVSS 9.9 (critical): OpenEMR is a free and open source electronic health records and medical practice management application. In 7.0.4 and earlier, the…
CVE-2018-17181 — CVSS 9.8 (critical): An issue was discovered in OpenEMR before 5.0.1 Patch 7. SQL Injection exists in the SaveAudit function in /portal/lib/paylib.php and the…
CVE-2018-15145 — CVSS 9.8 (critical): Multiple SQL injection vulnerabilities in portal/add_edit_event_user.php in versions of OpenEMR before 5.0.1.4 allow a remote attacker to…
CVE-2018-15143 — CVSS 9.8 (critical): Multiple SQL injection vulnerabilities in portal/find_appt_popup_user.php in versions of OpenEMR before 5.0.1.4 allow a remote attacker to…
CVE-2020-13567 — CVSS 9.8 (critical): Multiple SQL injection vulnerabilities exist in phpGACL 3.3.7. A specially crafted HTTP request can lead to a SQL injection. An attacker…
CVE-2018-17179 — CVSS 9.8 (critical): An issue was discovered in OpenEMR before 5.0.1 Patch 7. There is SQL Injection in the make_task function in /interface/forms/eye_mag/php/ta…
CVE-2024-22611 — CVSS 9.8 (critical): OpenEMR 7.0.2 is vulnerable to SQL Injection via \openemr\library\classes\Pharmacy.class.php, \controllers\C_Pharmacy.class.php and…
CVE-2019-17197 — CVSS 9.8 (critical): OpenEMR through 5.0.2 has SQL Injection in the Lifestyle demographic filter criteria in library/clinical_rules.php that affects…
CVE-2024-37734 — CVSS 9.8 (critical): An issue in OpenEMR 7.0.2 allows a remote attacker to escalate privileges viaa crafted POST request using the noteid parameter.
CVE-2026-25146 — CVSS 9.6 (critical): OpenEMR is a free and open source electronic health records and medical practice management application. From 5.0.2 to before 8.0.0, there…
CVE-2026-32238 — CVSS 9.1 (critical): OpenEMR is a free and open source electronic health records and medical practice management application. Versions prior to 8.0.0.2 contain…
CVE-2018-15152 — CVSS 9.1 (critical): Authentication bypass vulnerability in portal/account/register.php in versions of OpenEMR before 5.0.1.4 allows a remote attacker to access…
CVE-2022-2824 — CVSS 8.8 (high): Authorization Bypass Through User-Controlled Key in GitHub repository openemr/openemr prior to 7.0.0.1.
CVE-2026-33917 — CVSS 8.8 (high): OpenEMR is a free and open source electronic health records and medical practice management application. Versions prior to 8.0.0.3 contais…
CVE-2013-10044 — CVSS 8.8 (high): An authenticated SQL injection vulnerability exists in OpenEMR ≤ 4.1.1 Patch 14 that allows a low-privileged attacker to extract…
CVE-2017-9380 — CVSS 8.8 (high): OpenEMR 5.0.0 and prior allows low-privilege users to upload files of dangerous types which can result in arbitrary code execution within…
CVE-2018-1000019 — CVSS 8.8 (high): OpenEMR version 5.0.0 contains a OS Command Injection vulnerability in fax_dispatch.php that can result in OS command injection by an…
CVE-2018-10573 — CVSS 8.8 (high): interface/fax/fax_dispatch.php in OpenEMR before 5.0.1 allows remote authenticated users to bypass intended access restrictions via the…
CVE-2018-15139 — CVSS 8.8 (high): Unrestricted file upload in interface/super/manage_site_files.php in versions of OpenEMR before 5.0.1.4 allows a remote authenticated…
CVE-2026-32127 — CVSS 8.8 (high): OpenEMR is a free and open source electronic health records and medical practice management application. Prior to 8.0.0.1, OpenEMR contains…
CVE-2018-15142 — CVSS 8.8 (high): Directory traversal in portal/import_template.php in versions of OpenEMR before 5.0.1.4 allows a remote attacker authenticated in the…
CVE-2018-15144 — CVSS 8.8 (high): SQL injection vulnerability in interface/de_identification_forms/find_drug_popup.php in versions of OpenEMR before 5.0.1.4 allows a remote…
CVE-2018-15146 — CVSS 8.8 (high): SQL injection vulnerability in interface/de_identification_forms/find_immunization_popup.php in versions of OpenEMR before 5.0.1.4 allows a…
CVE-2018-15147 — CVSS 8.8 (high): SQL injection vulnerability in interface/forms_admin/forms_admin.php from library/registry.inc in versions of OpenEMR before 5.0.1.4 allows…
CVE-2018-15148 — CVSS 8.8 (high): SQL injection vulnerability in interface/patient_file/encounter/search_code.php in versions of OpenEMR before 5.0.1.4 allows a remote…
CVE-2018-15149 — CVSS 8.8 (high): SQL injection vulnerability in interface/forms/eye_mag/php/Anything_simple.php from library/forms.inc in versions of OpenEMR before 5.0.1.4…
CVE-2018-15150 — CVSS 8.8 (high): SQL injection vulnerability in interface/de_identification_forms/de_identification_screen2.php in versions of OpenEMR before 5.0.1.4 allows…
CVE-2018-15151 — CVSS 8.8 (high): SQL injection vulnerability in interface/de_identification_forms/find_code_popup.php in versions of OpenEMR before 5.0.1.4 allows a remote…
CVE-2018-15153 — CVSS 8.8 (high): OS command injection occurring in versions of OpenEMR before 5.0.1.4 allows a remote authenticated attacker to execute arbitrary commands…
CVE-2018-15154 — CVSS 8.8 (high): OS command injection occurring in versions of OpenEMR before 5.0.1.4 allows a remote authenticated attacker to execute arbitrary commands…
CVE-2018-15155 — CVSS 8.8 (high): OS command injection occurring in versions of OpenEMR before 5.0.1.4 allows a remote authenticated attacker to execute arbitrary commands…
CVE-2018-15156 — CVSS 8.8 (high): OS command injection occurring in versions of OpenEMR before 5.0.1.4 allows a remote authenticated attacker to execute arbitrary commands…
CVE-2018-16795 — CVSS 8.8 (high): OpenEMR 5.0.1.3 allows Cross-Site Request Forgery (CSRF) via library/ajax and interface/super, as demonstrated by use of…
CVE-2018-9250 — CVSS 8.8 (high): interface\super\edit_list.php in OpenEMR before v5_0_1_1 allows remote authenticated users to execute arbitrary SQL commands via the…
CVE-2019-14530 — CVSS 8.8 (high): An issue was discovered in custom/ajax_download.php in OpenEMR before 5.0.2 via the fileName parameter. An attacker can download any file…
CVE-2019-16404 — CVSS 8.8 (high): Authenticated SQL Injection in interface/forms/eye_mag/js/eye_base.php in OpenEMR through 5.0.2 allows a user to extract arbitrary data…
CVE-2026-25746 — CVSS 8.8 (high): OpenEMR is a free and open source electronic health records and medical practice management application. Versions prior to 8.0.0 contain a…
CVE-2026-25131 — CVSS 8.8 (high): OpenEMR is a free and open source electronic health records and medical practice management application. Prior to version 8.0.0, a Broken…
CVE-2019-3968 — CVSS 8.8 (high): In OpenEMR 5.0.1 and earlier, an authenticated attacker can execute arbitrary commands on the host system via the Scanned Forms interface…
CVE-2026-23627 — CVSS 8.8 (high): OpenEMR is a free and open source electronic health records and medical practice management application. Prior to version 8.0.0, an SQL…
CVE-2025-67645 — CVSS 8.8 (high): OpenEMR is a free and open source electronic health records and medical practice management application. Versions prior to 7.0.4 have a…
CVE-2020-13566 — CVSS 8.8 (high): SQL injection vulnerabilities exist in phpGACL 3.3.7. A specially crafted HTTP request can lead to a SQL injection. An attacker can send an…
CVE-2020-13568 — CVSS 8.8 (high): SQL injection vulnerability exists in phpGACL 3.3.7. A specially crafted HTTP request can lead to a SQL injection. An attacker can send an…
CVE-2020-13569 — CVSS 8.8 (high): A cross-site request forgery vulnerability exists in the GACL functionality of OpenEMR 5.0.2 and development version 6.0.0 (commit…
CVE-2020-19364 — CVSS 8.8 (high): OpenEMR 5.0.1 allows an authenticated attacker to upload and execute malicious PHP scripts through /controller.php.
CVE-2020-36243 — CVSS 8.8 (high): The Patient Portal of OpenEMR 5.0.2.1 is affected by a Command Injection vulnerability in /interface/main/backup.php. To exploit the…
CVE-2023-22973 — CVSS 8.8 (high): A Local File Inclusion (LFI) vulnerability in interface/forms/LBF/new.php in OpenEMR < 7.0.0 allows remote authenticated users to execute…
CVE-2021-32102 — CVSS 8.8 (high): A SQL injection vulnerability exists (with user privileges) in library/custom_template/ajax_code.php in OpenEMR 5.0.2.1.
CVE-2022-4506 — CVSS 8.8 (high): Unrestricted Upload of File with Dangerous Type in GitHub repository openemr/openemr prior to 7.0.0.2.
CVE-2021-32104 — CVSS 8.8 (high): A SQL injection vulnerability exists (with user privileges) in interface/forms/eye_mag/save.php in OpenEMR 5.0.2.1.
CVE-2022-4505 — CVSS 8.8 (high): Authorization Bypass Through User-Controlled Key in GitHub repository openemr/openemr prior to 7.0.0.2.
CVE-2026-33346 — CVSS 8.7 (high): OpenEMR is a free and open source electronic health records and medical practice management application. Prior to 8.0.0.2, a stored…
CVE-2025-69231 — CVSS 8.7 (high): OpenEMR is a free and open source electronic health records and medical practice management application. Prior to version 8.0.0, a stored…
CVE-2026-33348 — CVSS 8.7 (high): OpenEMR is a free and open source electronic health records and medical practice management application. Users with the `Notes - my…
CVE-2022-1459 — CVSS 8.3 (high): Non-Privilege User Can View Patient’s Disclosures in GitHub repository openemr/openemr prior to 6.1.0.1.
CVE-2021-32101 — CVSS 8.2 (high): The Patient Portal of OpenEMR 5.0.2.1 is affected by a incorrect access control system in portal/patient/_machine_config.php. To exploit…
CVE-2025-67752 — CVSS 8.1 (high): OpenEMR is a free and open source electronic health records and medical practice management application. Prior to version 7.0.4, OpenEMR's…
CVE-2026-33301 — CVSS 8.1 (high): OpenEMR is a free and open source electronic health records and medical practice management application. Prior to 8.0.0.2, users with the…
CVE-2026-24890 — CVSS 8.1 (high): OpenEMR is a free and open source electronic health records and medical practice management application. Prior to version 8.0.0, an…
CVE-2026-33302 — CVSS 8.1 (high): OpenEMR is a free and open source electronic health records and medical practice management application. Prior to 8.0.0.2, the module ACL…
CVE-2021-25923 — CVSS 8.1 (high): In OpenEMR, versions 5.0.0 to 6.0.0.1 are vulnerable to weak password requirements as it does not enforce a maximum password length limit…
CVE-2026-34055 — CVSS 8.1 (high): OpenEMR is a free and open source electronic health records and medical practice management application. Prior to version 8.0.0.3, the…
CVE-2026-29187 — CVSS 8.1 (high): OpenEMR is a free and open source electronic health records and medical practice management application. Prior to version 8.0.0.3, a Blind…
CVE-2022-2493 — CVSS 8.1 (high): Data Access from Outside Expected Data Manager Component in GitHub repository openemr/openemr prior to 7.0.0.
CVE-2026-25164 — CVSS 8.1 (high): OpenEMR is a free and open source electronic health records and medical practice management application. Prior to version 8.0.0, the REST…
CVE-2017-1000241 — CVSS 8.1 (high): The application OpenEMR version 5.0.0, 5.0.1-dev and prior is affected by vertical privilege escalation vulnerability. This vulnerability…
CVE-2022-25471 — CVSS 8.1 (high): An Insecure Direct Object Reference (IDOR) vulnerability in OpenEMR 6.0.0 allows any authenticated attacker to access and modify…
CVE-2026-33913 — CVSS 7.7 (high): OpenEMR is a free and open source electronic health records and medical practice management application. Prior to version 8.0.0.3, an…
CVE-2026-32123 — CVSS 7.7 (high): OpenEMR is a free and open source electronic health records and medical practice management application. Prior to 8.0.0.1, sensitivity…
CVE-2026-34056 — CVSS 7.7 (high): OpenEMR is a free and open source electronic health records and medical practice management application. A Broken Access Control…
CVE-2026-32121 — CVSS 7.7 (high): OpenEMR is a free and open source electronic health records and medical practice management application. Prior to 8.0.0.1, Stored XSS in…
CVE-2026-46518 — CVSS 7.7 (high): OpenEMR is a free and open source electronic health records and medical practice management application. Prior to version 8.0.0.1, a stored…
CVE-2025-43860 — CVSS 7.6 (high): OpenEMR is a free and open source electronic health records and medical practice management application. A stored cross-site scripting…
CVE-2025-32794 — CVSS 7.6 (high): OpenEMR is a free and open source electronic health records and medical practice management application. A stored cross-site scripting…
CVE-2026-33932 — CVSS 7.6 (high): OpenEMR is a free and open source electronic health records and medical practice management application. Prior to version 8.0.0.3, a stored…
CVE-2026-33918 — CVSS 7.6 (high): OpenEMR is a free and open source electronic health records and medical practice management application. Prior to version 8.0.0.3, the…
CVE-2026-33321 — CVSS 7.6 (high): OpenEMR is a free and open source electronic health records and medical practice management application. Prior to 8.0.0.2, users with the…
CVE-2025-29789 — CVSS 7.5 (high): OpenEMR is a free and open source electronic health records and medical practice management application. Versions prior to 7.3.0 are…
CVE-2012-2115 — CVSS 7.5 (high): SQL injection vulnerability in interface/login/validateUser.php in OpenEMR 4.1.0 and possibly earlier allows remote attackers to execute…
CVE-2017-12064 — CVSS 7.5 (high): The csv_log_html function in library/edihistory/edih_csv_inc.php in OpenEMR 5.0.0 and prior allows attackers to bypass intended access…
CVE-2017-16540 — CVSS 7.5 (high): OpenEMR before 5.0.0 Patch 5 allows unauthenticated remote database copying because setup.php exposes functionality for cloning an existing…
CVE-2023-22974 — CVSS 7.5 (high): A Path Traversal in setup.php in OpenEMR < 7.0.0 allows remote unauthenticated users to read arbitrary files by controlling a connection to…
CVE-2023-54347 — CVSS 7.5 (high): OpenEMR 7.0.1 contains an authentication brute force vulnerability that allows attackers to bypass rate limiting protections by sending…
CVE-2025-31117 — CVSS 7.5 (high): OpenEMR is a free and open source electronic health records and medical practice management application. An Out-of-Band Server-Side Request…
CVE-2026-25476 — CVSS 7.5 (high): OpenEMR is a free and open source electronic health records and medical practice management application. Prior to version 8.0.0, the…
CVE-2020-29139 — CVSS 7.2 (high): A SQL injection vulnerability in interface/main/finder/patient_select.php from library/patient.inc in OpenEMR before 5.0.2.5 allows a…
CVE-2026-33914 — CVSS 7.2 (high): OpenEMR is a free and open source electronic health records and medical practice management application. Prior to version 8.0.0.3, the…
CVE-2020-29140 — CVSS 7.2 (high): A SQL injection vulnerability in interface/reports/immunization_report.php in OpenEMR before 5.0.2.5 allows a remote authenticated attacker…
CVE-2020-29142 — CVSS 7.2 (high): A SQL injection vulnerability in interface/usergroup/usergroup_admin.php in OpenEMR before 5.0.2.5 allows a remote authenticated attacker…
CVE-2020-29143 — CVSS 7.2 (high): A SQL injection vulnerability in interface/reports/non_reported.php in OpenEMR before 5.0.2.5 allows a remote authenticated attacker to…
CVE-2026-33910 — CVSS 7.2 (high): OpenEMR is a free and open source electronic health records and medical practice management application. Versions up to and including…
CVE-2026-25927 — CVSS 7.1 (high): OpenEMR is a free and open source electronic health records and medical practice management application. Prior to version 8.0.0, the DICOM…
CVE-2026-32126 — CVSS 7.1 (high): OpenEMR is a free and open source electronic health records and medical practice management application. Prior to 8.0.0.1, an inverted…
CVE-2026-34053 — CVSS 7.1 (high): OpenEMR is a free and open source electronic health records and medical practice management application. Prior to version 8.0.0.3, missing…
CVE-2026-25147 — CVSS 7.1 (high): OpenEMR is a free and open source electronic health records and medical practice management application. Prior to version 8.0.0, in…
CVE-2011-5161 — CVSS 6.8 (medium): Unrestricted file upload vulnerability in the patient photograph functionality in OpenEMR 4 allows remote attackers to execute arbitrary…
CVE-2026-24488 — CVSS 6.5 (medium): OpenEMR is a free and open source electronic health records and medical practice management application. In versions up to and including…
CVE-2019-3967 — CVSS 6.5 (medium): In OpenEMR 5.0.1 and earlier, the patient file download interface contains a directory traversal flaw that allows authenticated attackers…
CVE-2026-24896 — CVSS 6.5 (medium): OpenEMR is a free and open source electronic health records and medical practice management application. Prior to version 8.0.0, a Broken…
CVE-2021-25920 — CVSS 6.5 (medium): In OpenEMR, versions v2.7.2-rc1 to 6.0.0 are vulnerable to Improper Access Control when creating a new user, which leads to a malicious…
CVE-2026-25124 — CVSS 6.5 (medium): OpenEMR is a free and open source electronic health records and medical practice management application. Prior to version 8.0.0, the…
CVE-2022-1461 — CVSS 6.5 (medium): Non Privilege User can Enable or Disable Registered in GitHub repository openemr/openemr prior to 6.1.0.1.
CVE-2026-25127 — CVSS 6.5 (medium): OpenEMR is a free and open source electronic health records and medical practice management application. Prior to version 8.0.0, the server…
CVE-2026-25928 — CVSS 6.5 (medium): OpenEMR is a free and open source electronic health records and medical practice management application. Prior to 8.0.0.2, the DICOM…
CVE-2026-25929 — CVSS 6.5 (medium): OpenEMR is a free and open source electronic health records and medical practice management application. Prior to version 8.0.0, the…
CVE-2026-25930 — CVSS 6.5 (medium): OpenEMR is a free and open source electronic health records and medical practice management application. Prior to version 8.0.0, the…
CVE-2026-33304 — CVSS 6.5 (medium): OpenEMR is a free and open source electronic health records and medical practice management application. Prior to 8.0.0.2, an authorization…
CVE-2026-27943 — CVSS 6.5 (medium): OpenEMR is a free and open source electronic health records and medical practice management application. In versions up to and including…
CVE-2018-10572 — CVSS 6.5 (medium): interface/patient_file/letter.php in OpenEMR before 5.0.1 allows remote authenticated users to bypass intended access restrictions via the…
CVE-2018-15140 — CVSS 6.5 (medium): Directory traversal in portal/import_template.php in versions of OpenEMR before 5.0.1.4 allows a remote attacker authenticated in the…
CVE-2026-25220 — CVSS 6.5 (medium): OpenEMR is a free and open source electronic health records and medical practice management application. Prior to version 8.0.0, the…
CVE-2021-41843 — CVSS 6.5 (medium): An authenticated SQL injection issue in the calendar search function of OpenEMR 6.0.0 before patch 3 allows an attacker to read data from…
CVE-2013-4619 — CVSS 6.5 (medium): Multiple SQL injection vulnerabilities in OpenEMR 4.1.1 allow remote authenticated users to execute arbitrary SQL commands via the (1)…
CVE-2021-40352 — CVSS 6.5 (medium): OpenEMR 6.0.0 has a pnotes_print.php?noteid= Insecure Direct Object Reference vulnerability via which an attacker can read the messages of…
CVE-2014-5462 — CVSS 6.5 (medium): Multiple SQL injection vulnerabilities in OpenEMR 4.1.2 (Patch 7) and earlier allow remote authenticated users to execute arbitrary SQL…
CVE-2025-54373 — CVSS 6.5 (medium): OpenEMR is a free and open source electronic health records and medical practice management application. Versions prior to 7.0.4 have a…
CVE-2022-2730 — CVSS 6.5 (medium): Authorization Bypass Through User-Controlled Key in GitHub repository openemr/openemr prior to 7.0.0.1.
CVE-2026-32120 — CVSS 6.5 (medium): OpenEMR is a free and open source electronic health records and medical practice management application. Prior to version 8.0.0.3, an…
CVE-2026-33931 — CVSS 6.5 (medium): OpenEMR is a free and open source electronic health records and medical practice management application. Prior to version 8.0.0.3, an…
CVE-2026-25744 — CVSS 6.5 (medium): OpenEMR is a free and open source electronic health records and medical practice management application. Prior to 8.0.0.2, the encounter…
CVE-2026-25745 — CVSS 6.5 (medium): OpenEMR is a free and open source electronic health records and medical practice management application. In versions up to and including…
CVE-2026-24487 — CVSS 6.5 (medium): OpenEMR is a free and open source electronic health records and medical practice management application. Prior to version 8.0.0, an…
CVE-2018-15141 — CVSS 6.5 (medium): Directory traversal in portal/import_template.php in versions of OpenEMR before 5.0.1.4 allows a remote attacker authenticated in the…
CVE-2025-30149 — CVSS 6.4 (medium): OpenEMR is a free and open source electronic health records and medical practice management application. OpenEMR allows reflected…
CVE-2018-18035 — CVSS 6.1 (medium): A vulnerability in flashcanvas.swf in OpenEMR before 5.0.1 Patch 6 could allow an unauthenticated, remote attacker to conduct a cross-site…
CVE-2019-17409 — CVSS 6.1 (medium): Reflected XSS exists in interface/forms/eye_mag/view.php in OpenEMR 5.x before 5.0.2.1 ia the id parameter.
CVE-2019-16862 — CVSS 6.1 (medium): Reflected XSS in interface/forms/eye_mag/view.php in OpenEMR 5.x before 5.0.2.1 allows a remote attacker to execute arbitrary code in the…
CVE-2021-25922 — CVSS 6.1 (medium): In OpenEMR, versions 4.2.0 to 6.0.0 are vulnerable to Reflected Cross-Site-Scripting (XSS) due to user input not being validated properly…
CVE-2026-33933 — CVSS 6.1 (medium): OpenEMR is a free and open source electronic health records and medical practice management application. Starting in version 7.0.2.1 and…
CVE-2017-6394 — CVSS 6.1 (medium): Multiple Cross-Site Scripting (XSS) issues were discovered in OpenEMR 5.0.0 and 5.0.1-dev. The vulnerabilities exist due to insufficient…
CVE-2018-1000020 — CVSS 6.1 (medium): OpenEMR version 5.0.0 contains a Cross Site Scripting (XSS) vulnerability in open-flash-chart.swf and _posteddata.php that can result in…
CVE-2018-10571 — CVSS 6.1 (medium): Multiple reflected cross-site scripting (XSS) vulnerabilities in OpenEMR before 5.0.1 allow remote attackers to inject arbitrary web script…
CVE-2025-29772 — CVSS 6.1 (medium): OpenEMR is a free and open source electronic health records and medical practice management application. The POST parameter…
CVE-2020-13565 — CVSS 6.1 (medium): An open redirect vulnerability exists in the return_page redirection functionality of phpGACL 3.3.7, OpenEMR 5.0.2 and OpenEMR development…
CVE-2020-13564 — CVSS 6.1 (medium): A cross-site scripting vulnerability exists in the template functionality of phpGACL 3.3.7. A specially crafted HTTP request can lead to…
CVE-2020-13563 — CVSS 6.1 (medium): A cross-site scripting vulnerability exists in the template functionality of phpGACL 3.3.7. A specially crafted HTTP request can lead to…
CVE-2026-21443 — CVSS 6.1 (medium): OpenEMR is a free and open source electronic health records and medical practice management application. Prior to version 8.0.0, the `xl()`…
CVE-2020-13562 — CVSS 6.1 (medium): A cross-site scripting vulnerability exists in the template functionality of phpGACL 3.3.7. A specially crafted HTTP request can lead to…
CVE-2026-24847 — CVSS 6.1 (medium): OpenEMR is a free and open source electronic health records and medical practice management application. Prior to version 8.0.0, the Eye…
CVE-2019-3966 — CVSS 6.1 (medium): In OpenEMR 5.0.1 and earlier, controller.php contains a reflected XSS vulnerability in the foreign_id parameter. This could allow an…
CVE-2019-3965 — CVSS 6.1 (medium): In OpenEMR 5.0.1 and earlier, controller.php contains a reflected XSS vulnerability in the document_id parameter. This could allow an…
CVE-2019-3963 — CVSS 6.1 (medium): In OpenEMR 5.0.1 and earlier, controller.php contains a reflected XSS vulnerability in the patient_id parameter. This could allow an…
CVE-2019-3964 — CVSS 6.1 (medium): In OpenEMR 5.0.1 and earlier, controller.php contains a reflected XSS vulnerability in the doc_id parameter. This could allow an attacker…
CVE-2026-33909 — CVSS 5.9 (medium): OpenEMR is a free and open source electronic health records and medical practice management application. Prior to version 8.0.0.3, several…
CVE-2026-33911 — CVSS 5.4 (medium): OpenEMR is a free and open source electronic health records and medical practice management application. Prior to version 8.0.0.3, the POST…
CVE-2021-47817 — CVSS 5.4 (medium): OpenEMR 5.0.2.1 contains a cross-site scripting vulnerability in user profile parameters that authenticated attackers can chain with a file…
CVE-2022-2734 — CVSS 5.4 (medium): Improper Restriction of Rendered UI Layers or Frames in GitHub repository openemr/openemr prior to 7.0.0.1.
CVE-2026-34051 — CVSS 5.4 (medium): OpenEMR is a free and open source electronic health records and medical practice management application. Versions prior to 8.0.0.3 have an…
CVE-2023-22972 — CVSS 5.4 (medium): A Reflected Cross-site scripting (XSS) vulnerability in interface/forms/eye_mag/php/eye_mag_functions.php in OpenEMR < 7.0.0 allows remote…
CVE-2021-25921 — CVSS 5.4 (medium): In OpenEMR, versions 2.7.3-rc1 to 6.0.0 are vulnerable to Stored Cross-Site-Scripting (XSS) due to user input not being validated properly…
CVE-2025-30161 — CVSS 5.4 (medium): OpenEMR is a free and open source electronic health records and medical practice management application. A stored XSS vulnerability in the…
CVE-2025-31121 — CVSS 5.4 (medium): OpenEMR is a free and open source electronic health records and medical practice management application. Prior to 7.0.3.1, the Patient…
CVE-2025-32967 — CVSS 5.4 (medium): OpenEMR is a free and open source electronic health records and medical practice management application. A logging oversight in versions…
CVE-2025-67491 — CVSS 5.4 (medium): OpenEMR is a free and open source electronic health records and medical practice management application. Versions 5.0.0.5 through 7.0.3.4…
CVE-2026-32118 — CVSS 5.4 (medium): OpenEMR is a free and open source electronic health records and medical practice management application. Prior to 8.0.0.1, stored…
CVE-2026-32124 — CVSS 5.4 (medium): OpenEMR is a free and open source electronic health records and medical practice management application. Prior to 8.0.0.1, the dynamic code…
CVE-2026-32125 — CVSS 5.4 (medium): OpenEMR is a free and open source electronic health records and medical practice management application. Prior to 8.0.0.1, track/item names…
CVE-2026-33299 — CVSS 5.4 (medium): OpenEMR is a free and open source electronic health records and medical practice management application. Prior to 8.0.0.2, users with the…
CVE-2026-33303 — CVSS 5.4 (medium): OpenEMR is a free and open source electronic health records and medical practice management application. Versions prior to 8.0.0.2 are…
CVE-2026-33305 — CVSS 5.4 (medium): OpenEMR is a free and open source electronic health records and medical practice management application. Prior to 8.0.0.2, an authorization…
CVE-2018-1000219 — CVSS 5.4 (medium): OpenEMR version v5_0_1_4 contains a Cross Site Scripting (XSS) vulnerability in The 'scan' parameter in line #41 of interface/fax/fax_view.p…
CVE-2018-1000218 — CVSS 5.4 (medium): OpenEMR version v5_0_1_4 contains a Cross Site Scripting (XSS) vulnerability in The 'file' parameter in line #43 of interface/fax/fax_view.p…
CVE-2022-24643 — CVSS 5.4 (medium): A stored cross-site scripting (XSS) issue was discovered in the OpenEMR Hospital Information Management System version 6.0.0.
CVE-2026-33912 — CVSS 5.4 (medium): OpenEMR is a free and open source electronic health records and medical practice management application. Prior to version 8.0.0.3, an…
CVE-2026-33915 — CVSS 5.4 (medium): OpenEMR is a free and open source electronic health records and medical practice management application. Prior to version 8.0.0.3, five…
CVE-2017-1000240 — CVSS 5.4 (medium): The application OpenEMR is affected by multiple reflected & stored Cross-Site Scripting (XSS) vulnerabilities affecting version 5.0.0 and…
CVE-2022-1179 — CVSS 5.4 (medium): Non-Privilege User Can Created New Rule and Lead to Stored Cross Site Scripting in GitHub repository openemr/openemr prior to 6.0.0.4.
CVE-2018-17180 — CVSS 5.3 (medium): An issue was discovered in OpenEMR before 5.0.1 Patch 7. Directory Traversal exists via docid=../ to /portal/lib/download_template.php.
CVE-2015-4453 — CVSS 5.0 (medium): interface/globals.php in OpenEMR 2.x, 3.x, and 4.x before 4.2.0 patch 2 allows remote attackers to bypass authentication and obtain…
CVE-2025-68277 — CVSS 5.0 (medium): OpenEMR is a free and open source electronic health records and medical practice management application. Prior to version 7.0.4, when a…
CVE-2021-25918 — CVSS 4.8 (medium): In OpenEMR, versions 5.0.2 to 6.0.0 are vulnerable to Stored Cross-Site-Scripting (XSS) due to user input not being validated properly and…