Home/Product/open emr openemr
Product

open emr openemr

223 known vulnerabilities across versions
Vulnerabilities are listed by affected version. Select any CVE for the full briefing and its intelligence graph.
CVE-2023-54347
all versions
OpenEMR 7.0.1 contains an authentication brute force vulnerability that allows attackers to bypass rate limiting protections by se
7.5HIGH
 CVE-2026-34056
<= 8.0.0.3
OpenEMR is a free and open source electronic health records and medical practice management application. A Broken Access Control v
7.7HIGH
 CVE-2026-34055
< 8.0.0.3
OpenEMR is a free and open source electronic health records and medical practice management application. Prior to version 8.0.0.3,
8.1HIGH
 CVE-2026-34053
< 8.0.0.3
OpenEMR is a free and open source electronic health records and medical practice management application. Prior to version 8.0.0.3,
7.1HIGH
 CVE-2026-34051
< 8.0.0.3
OpenEMR is a free and open source electronic health records and medical practice management application. Versions prior to 8.0.0.3
5.4MEDIUM
 CVE-2026-33934
< 8.0.0.3
OpenEMR is a free and open source electronic health records and medical practice management application. Versions prior to 8.0.0.3
4.3MEDIUM
 CVE-2026-33933
>= 7.0.2.1 and < 8.0.0.3
OpenEMR is a free and open source electronic health records and medical practice management application. Starting in version 7.0.2
6.1MEDIUM
 CVE-2026-33932
< 8.0.0.3
OpenEMR is a free and open source electronic health records and medical practice management application. Prior to version 8.0.0.3,
7.6HIGH
 CVE-2026-33931
< 8.0.0.3
OpenEMR is a free and open source electronic health records and medical practice management application. Prior to version 8.0.0.3,
6.5MEDIUM
 CVE-2026-33918
< 8.0.0.3
OpenEMR is a free and open source electronic health records and medical practice management application. Prior to version 8.0.0.3,
7.6HIGH
 CVE-2026-33917
< 8.0.0.3
OpenEMR is a free and open source electronic health records and medical practice management application. Versions prior to 8.0.0.3
8.8HIGH
 CVE-2026-33915
< 8.0.0.3
OpenEMR is a free and open source electronic health records and medical practice management application. Prior to version 8.0.0.3,
5.4MEDIUM
 CVE-2026-33914
< 8.0.0.3
OpenEMR is a free and open source electronic health records and medical practice management application. Prior to version 8.0.0.3,
7.2HIGH
 CVE-2026-33913
< 8.0.0.3
OpenEMR is a free and open source electronic health records and medical practice management application. Prior to version 8.0.0.3,
7.7HIGH
 CVE-2026-33912
< 8.0.0.3
OpenEMR is a free and open source electronic health records and medical practice management application. Prior to version 8.0.0.3,
5.4MEDIUM
 CVE-2026-33911
< 8.0.0.3
OpenEMR is a free and open source electronic health records and medical practice management application. Prior to version 8.0.0.3,
5.4MEDIUM
 CVE-2026-33910
< 8.0.0.3
OpenEMR is a free and open source electronic health records and medical practice management application. Versions up to and includ
7.2HIGH
 CVE-2026-33909
< 8.0.0.3
OpenEMR is a free and open source electronic health records and medical practice management application. Prior to version 8.0.0.3,
5.9MEDIUM
 CVE-2026-33348
< 8.0.0.3
OpenEMR is a free and open source electronic health records and medical practice management application. Users with the `Notes -
8.7HIGH
 CVE-2026-32120
< 8.0.0.3
OpenEMR is a free and open source electronic health records and medical practice management application. Prior to version 8.0.0.3,
6.5MEDIUM
 CVE-2026-29187
< 8.0.0.3
OpenEMR is a free and open source electronic health records and medical practice management application. Prior to version 8.0.0.3,
8.1HIGH
 CVE-2026-33346
< 8.0.0.2
OpenEMR is a free and open source electronic health records and medical practice management application. Prior to 8.0.0.2, a store
8.7HIGH
 CVE-2026-33321
< 8.0.0.2
OpenEMR is a free and open source electronic health records and medical practice management application. Prior to 8.0.0.2, users w
7.6HIGH
 CVE-2026-33305
< 8.0.0.2
OpenEMR is a free and open source electronic health records and medical practice management application. Prior to 8.0.0.2, an auth
5.4MEDIUM
 CVE-2026-33304
< 8.0.0.2
OpenEMR is a free and open source electronic health records and medical practice management application. Prior to 8.0.0.2, an auth
6.5MEDIUM
 CVE-2026-33303
< 8.0.0.2
OpenEMR is a free and open source electronic health records and medical practice management application. Versions prior to 8.0.0.2
5.4MEDIUM
 CVE-2026-33302
< 8.0.0.2
OpenEMR is a free and open source electronic health records and medical practice management application. Prior to 8.0.0.2, the mod
8.1HIGH
 CVE-2026-33301
< 8.0.0.2
OpenEMR is a free and open source electronic health records and medical practice management application. Prior to 8.0.0.2, users
8.1HIGH
 CVE-2026-33299
< 8.0.0.2
OpenEMR is a free and open source electronic health records and medical practice management application. Prior to 8.0.0.2, users w
5.4MEDIUM
 CVE-2026-32238
< 8.0.0.2
OpenEMR is a free and open source electronic health records and medical practice management application. Versions prior to 8.0.0.2
9.1CRITICAL
 CVE-2026-32119
< 8.0.0.2
OpenEMR is a free and open source electronic health records and medical practice management application. Prior to 8.0.0.2, DOM-bas
4.4MEDIUM
 CVE-2026-25928
< 8.0.0.2
OpenEMR is a free and open source electronic health records and medical practice management application. Prior to 8.0.0.2, the DIC
6.5MEDIUM
 CVE-2026-25744
< 8.0.0.2
OpenEMR is a free and open source electronic health records and medical practice management application. Prior to 8.0.0.2, the enc
6.5MEDIUM
 CVE-2026-25745
<= 8.0.0
OpenEMR is a free and open source electronic health records and medical practice management application. In versions up to and inc
6.5MEDIUM
 CVE-2026-32127
< 8.0.0.1
OpenEMR is a free and open source electronic health records and medical practice management application. Prior to 8.0.0.1, OpenEMR
8.8HIGH
 CVE-2026-32126
< 8.0.0.1
OpenEMR is a free and open source electronic health records and medical practice management application. Prior to 8.0.0.1, an inve
7.1HIGH
 CVE-2026-32125
< 8.0.0.1
OpenEMR is a free and open source electronic health records and medical practice management application. Prior to 8.0.0.1, track/i
5.4MEDIUM
 CVE-2026-32124
< 8.0.0.1
OpenEMR is a free and open source electronic health records and medical practice management application. Prior to 8.0.0.1, the dyn
5.4MEDIUM
 CVE-2026-32123
< 8.0.0.1
OpenEMR is a free and open source electronic health records and medical practice management application. Prior to 8.0.0.1, sensiti
7.7HIGH
 CVE-2026-32122
< 8.0.0.1
OpenEMR is a free and open source electronic health records and medical practice management application. Prior to 8.0.0.1, the Cla
4.3MEDIUM
 CVE-2026-32121
< 8.0.0.1
OpenEMR is a free and open source electronic health records and medical practice management application. Prior to 8.0.0.1, Stored
7.7HIGH
 CVE-2026-32118
< 8.0.0.1
OpenEMR is a free and open source electronic health records and medical practice management application. Prior to 8.0.0.1, stored
5.4MEDIUM
 CVE-2026-25146
>= 5.0.2 and < 8.0.0
OpenEMR is a free and open source electronic health records and medical practice management application. From 5.0.2 to before 8.0.
9.6CRITICAL
 CVE-2026-24898
< 8.0.0
OpenEMR is a free and open source electronic health records and medical practice management application. Prior to 8.0.0, an unauth
10.0CRITICAL
 CVE-2026-24848
< 7.0.4
OpenEMR is a free and open source electronic health records and medical practice management application. In 7.0.4 and earlier, the
9.9CRITICAL
 CVE-2026-25147
< 8.0.0
OpenEMR is a free and open source electronic health records and medical practice management application. Prior to version 8.0.0, i
7.1HIGH
 CVE-2026-24488
<= 8.0.0
OpenEMR is a free and open source electronic health records and medical practice management application. In versions up to and inc
6.5MEDIUM
 CVE-2026-27943
<= 8.0.0
OpenEMR is a free and open source electronic health records and medical practice management application. In versions up to and inc
6.5MEDIUM
 CVE-2026-25930
< 8.0.0
OpenEMR is a free and open source electronic health records and medical practice management application. Prior to version 8.0.0, t
6.5MEDIUM
 CVE-2026-25929
< 8.0.0
OpenEMR is a free and open source electronic health records and medical practice management application. Prior to version 8.0.0, t
6.5MEDIUM
 CVE-2026-25927
< 8.0.0
OpenEMR is a free and open source electronic health records and medical practice management application. Prior to version 8.0.0,
7.1HIGH
 CVE-2026-25746
< 8.0.0
OpenEMR is a free and open source electronic health records and medical practice management application. Versions prior to 8.0.0 c
8.8HIGH
 CVE-2026-25743
< 8.0.0
OpenEMR is a free and open source electronic health records and medical practice management application. Prior to version 8.0.0, u
4.8MEDIUM
 CVE-2026-25476
< 8.0.0
OpenEMR is a free and open source electronic health records and medical practice management application. Prior to version 8.0.0, t
7.5HIGH
 CVE-2026-25220
< 8.0.0
OpenEMR is a free and open source electronic health records and medical practice management application. Prior to version 8.0.0, t
6.5MEDIUM
 CVE-2026-25164
< 8.0.0
OpenEMR is a free and open source electronic health records and medical practice management application. Prior to version 8.0.0, t
8.1HIGH
 CVE-2026-24908
< 8.0.0
OpenEMR is a free and open source electronic health records and medical practice management application. Prior to version 8.0.0, a
9.9CRITICAL
 CVE-2026-24890
< 8.0.0
OpenEMR is a free and open source electronic health records and medical practice management application. Prior to version 8.0.0, a
8.1HIGH
 CVE-2026-24487
< 8.0.0
OpenEMR is a free and open source electronic health records and medical practice management application. Prior to version 8.0.0, a
6.5MEDIUM
 CVE-2026-23627
< 8.0.0
OpenEMR is a free and open source electronic health records and medical practice management application. Prior to version 8.0.0, a
8.8HIGH
 CVE-2026-25135
< 8.0.0
OpenEMR is a free and open source electronic health records and medical practice management application. Versions prior to 8.0.0 h
4.5MEDIUM
 CVE-2026-25131
< 8.0.0
OpenEMR is a free and open source electronic health records and medical practice management application. Prior to version 8.0.0, a
8.8HIGH
 CVE-2026-25127
< 8.0.0
OpenEMR is a free and open source electronic health records and medical practice management application. Prior to version 8.0.0, t
6.5MEDIUM
 CVE-2026-25124
< 8.0.0
OpenEMR is a free and open source electronic health records and medical practice management application. Prior to version 8.0.0, t
6.5MEDIUM
 CVE-2026-24896
< 8.0.0
OpenEMR is a free and open source electronic health records and medical practice management application. Prior to version 8.0.0, a
6.5MEDIUM
 CVE-2026-24849
< 7.0.4
OpenEMR is a free and open source electronic health records and medical practice management application. Prior to version 7.0.4, t
9.9CRITICAL
 CVE-2026-24847
< 8.0.0
OpenEMR is a free and open source electronic health records and medical practice management application. Prior to version 8.0.0, t
6.1MEDIUM
 CVE-2026-21443
< 8.0.0
OpenEMR is a free and open source electronic health records and medical practice management application. Prior to version 8.0.0, t
6.1MEDIUM
 CVE-2025-69231
< 8.0.0
OpenEMR is a free and open source electronic health records and medical practice management application. Prior to version 8.0.0, a
8.7HIGH
 CVE-2025-68277
< 7.0.4
OpenEMR is a free and open source electronic health records and medical practice management application. Prior to version 7.0.4, w
5.0MEDIUM
 CVE-2025-67752
< 7.0.4
OpenEMR is a free and open source electronic health records and medical practice management application. Prior to version 7.0.4, O
8.1HIGH
 CVE-2025-67491
>= 5.0.0.5 and < 7.0.4
OpenEMR is a free and open source electronic health records and medical practice management application. Versions 5.0.0.5 through
5.4MEDIUM
 CVE-2025-67645
all versions
OpenEMR is a free and open source electronic health records and medical practice management application. Versions prior to 7.0.4 h
8.8HIGH
 CVE-2025-54373
all versions
OpenEMR is a free and open source electronic health records and medical practice management application. Versions prior to 7.0.4 h
6.5MEDIUM
 CVE-2021-47817
all versions
OpenEMR 5.0.2.1 contains a cross-site scripting vulnerability in user profile parameters that authenticated attackers can chain wi
5.4MEDIUM
 CVE-2013-10044
<= 4.1.1
An authenticated SQL injection vulnerability exists in OpenEMR ≤ 4.1.1 Patch 14 that allows a low-privileged attacker to extract
8.8HIGH
 CVE-2025-43860
< 7.0.3.4
OpenEMR is a free and open source electronic health records and medical practice management application. A stored cross-site scrip
7.6HIGH
 CVE-2025-32967
< 7.0.3.4
OpenEMR is a free and open source electronic health records and medical practice management application. A logging oversight in ve
5.4MEDIUM
 CVE-2025-32794
< 7.0.3.4
OpenEMR is a free and open source electronic health records and medical practice management application. A stored cross-site scrip
7.6HIGH
 CVE-2024-22611
all versions
OpenEMR 7.0.2 is vulnerable to SQL Injection via \openemr\library\classes\Pharmacy.class.php, \controllers\C_Pharmacy.class.php an
9.8CRITICAL
 CVE-2025-31121
< 7.0.3.1
OpenEMR is a free and open source electronic health records and medical practice management application. Prior to 7.0.3.1, the Pat
5.4MEDIUM
 CVE-2025-31117
< 7.0.3.1
OpenEMR is a free and open source electronic health records and medical practice management application. An Out-of-Band Server-Sid
7.5HIGH
 CVE-2025-30161
< 7.0.3
OpenEMR is a free and open source electronic health records and medical practice management application. A stored XSS vulnerabilit
5.4MEDIUM
 CVE-2025-30149
< 7.0.3
OpenEMR is a free and open source electronic health records and medical practice management application. OpenEMR allows reflected
6.4MEDIUM
 CVE-2025-29772
< 7.0.3
OpenEMR is a free and open source electronic health records and medical practice management application. The POST parameter hidden
6.1MEDIUM
 CVE-2025-29789
< 7.0.3
OpenEMR is a free and open source electronic health records and medical practice management application. Versions prior to 7.3.0 a
7.5HIGH
 CVE-2024-0875
all versions
A stored cross-site scripting (XSS) vulnerability exists in openemr/openemr version 7.0.1. An attacker can inject malicious payloa
4.8MEDIUM
 CVE-2024-37734
all versions
An issue in OpenEMR 7.0.2 allows a remote attacker to escalate privileges viaa crafted POST request using the noteid parameter.
9.8CRITICAL
 CVE-2024-26476
< 7.0.2
An issue in open-emr before v.7.0.2 allows a remote attacker to escalate privileges via a crafted script to the formid parameter i
3.5LOW
 CVE-2023-2950
< 7.0.1
Improper Authorization in GitHub repository openemr/openemr prior to 7.0.1.
8.1HIGH
 CVE-2023-2949
< 7.0.1
Cross-site Scripting (XSS) - Reflected in GitHub repository openemr/openemr prior to 7.0.1.
6.1MEDIUM
 CVE-2023-2948
< 7.0.1
Cross-site Scripting (XSS) - Generic in GitHub repository openemr/openemr prior to 7.0.1.
6.1MEDIUM
 CVE-2023-2947
< 7.0.1
Cross-site Scripting (XSS) - Stored in GitHub repository openemr/openemr prior to 7.0.1.
4.8MEDIUM
 CVE-2023-2946
< 7.0.1
Improper Access Control in GitHub repository openemr/openemr prior to 7.0.1.
8.1HIGH
 CVE-2023-2945
< 7.0.1
Missing Authorization in GitHub repository openemr/openemr prior to 7.0.1.
5.4MEDIUM
 CVE-2023-2944
< 7.0.1
Improper Access Control in GitHub repository openemr/openemr prior to 7.0.1.
5.4MEDIUM
 CVE-2023-2943
< 7.0.1
Code Injection in GitHub repository openemr/openemr prior to 7.0.1.
8.8HIGH
 CVE-2023-2942
< 7.0.1
Improper Input Validation in GitHub repository openemr/openemr prior to 7.0.1.
8.1HIGH
 CVE-2023-2674
< 7.0.1
Improper Access Control in GitHub repository openemr/openemr prior to 7.0.1.
4.3MEDIUM
 CVE-2023-2566
< 7.0.1
Cross-site Scripting (XSS) - Stored in GitHub repository openemr/openemr prior to 7.0.1.
4.8MEDIUM
 CVE-2023-22974
< 7.0.0
A Path Traversal in setup.php in OpenEMR < 7.0.0 allows remote unauthenticated users to read arbitrary files by controlling a conn
7.5HIGH
 CVE-2023-22973
< 7.0.0
A Local File Inclusion (LFI) vulnerability in interface/forms/LBF/new.php in OpenEMR < 7.0.0 allows remote authenticated users to
8.8HIGH
 CVE-2023-22972
< 7.0.0
A Reflected Cross-site scripting (XSS) vulnerability in interface/forms/eye_mag/php/eye_mag_functions.php in OpenEMR < 7.0.0 allow
5.4MEDIUM
 CVE-2022-4733
< 7.0.0.2
Cross-site Scripting (XSS) - Stored in GitHub repository openemr/openemr prior to 7.0.0.2.
4.8MEDIUM
 CVE-2022-4615
< 7.0.0.2
Cross-site Scripting (XSS) - Reflected in GitHub repository openemr/openemr prior to 7.0.0.2.
6.1MEDIUM
 CVE-2022-4567
< 7.0.0.2
Improper Access Control in GitHub repository openemr/openemr prior to 7.0.0.2.
8.1HIGH
 CVE-2022-4506
< 7.0.0.2
Unrestricted Upload of File with Dangerous Type in GitHub repository openemr/openemr prior to 7.0.0.2.
8.8HIGH
 CVE-2022-4505
< 7.0.0.2
Authorization Bypass Through User-Controlled Key in GitHub repository openemr/openemr prior to 7.0.0.2.
8.8HIGH
 CVE-2022-4504
< 7.0.0.2
Improper Input Validation in GitHub repository openemr/openemr prior to 7.0.0.2.
7.5HIGH
 CVE-2022-4503
< 7.0.0.2
Cross-site Scripting (XSS) - Generic in GitHub repository openemr/openemr prior to 7.0.0.2.
6.1MEDIUM
 CVE-2022-4502
< 7.0.0.2
Cross-site Scripting (XSS) - Reflected in GitHub repository openemr/openemr prior to 7.0.0.2.
6.1MEDIUM
 CVE-2022-2824
< 7.0.0.1
Authorization Bypass Through User-Controlled Key in GitHub repository openemr/openemr prior to 7.0.0.1.
8.8HIGH
 CVE-2022-2734
< 7.0.0.1
Improper Restriction of Rendered UI Layers or Frames in GitHub repository openemr/openemr prior to 7.0.0.1.
5.4MEDIUM
 CVE-2022-2733
< 7.0.0.1
Cross-site Scripting (XSS) - Reflected in GitHub repository openemr/openemr prior to 7.0.0.1.
6.1MEDIUM
 CVE-2022-2732
< 7.0.0.1
Missing Authorization in GitHub repository openemr/openemr prior to 7.0.0.1.
8.3HIGH
 CVE-2022-2731
< 7.0.0.1
Cross-site Scripting (XSS) - Reflected in GitHub repository openemr/openemr prior to 7.0.0.1.
6.1MEDIUM
 CVE-2022-2730
< 7.0.0.1
Authorization Bypass Through User-Controlled Key in GitHub repository openemr/openemr prior to 7.0.0.1.
6.5MEDIUM
 CVE-2022-2729
< 7.0.0.1
Cross-site Scripting (XSS) - DOM in GitHub repository openemr/openemr prior to 7.0.0.1.
5.4MEDIUM
 CVE-2022-2494
< 7.0.0
Cross-site Scripting (XSS) - Stored in GitHub repository openemr/openemr prior to 7.0.0.
5.4MEDIUM
 CVE-2022-2493
< 7.0.0
Data Access from Outside Expected Data Manager Component in GitHub repository openemr/openemr prior to 7.0.0.
8.1HIGH
 CVE-2022-1461
< 6.1.0.1
Non Privilege User can Enable or Disable Registered in GitHub repository openemr/openemr prior to 6.1.0.1.
6.5MEDIUM
 CVE-2022-1459
< 6.1.0.1
Non-Privilege User Can View Patient’s Disclosures in GitHub repository openemr/openemr prior to 6.1.0.1.
8.3HIGH
 CVE-2022-1458
< 6.1.0.1
Stored XSS Leads To Session Hijacking in GitHub repository openemr/openemr prior to 6.1.0.1.
5.4MEDIUM
 CVE-2020-13567
all versions
Multiple SQL injection vulnerabilities exist in phpGACL 3.3.7. A specially crafted HTTP request can lead to a SQL injection. An at
9.8CRITICAL
 CVE-2022-1181
< 6.0.0.2
Stored Cross Site Scripting in GitHub repository openemr/openemr prior to 6.0.0.2.
5.4MEDIUM
 CVE-2022-1180
< 6.0.0.4
Reflected Cross Site Scripting in GitHub repository openemr/openemr prior to 6.0.0.4.
3.5LOW
 CVE-2022-1179
< 6.0.0.4
Non-Privilege User Can Created New Rule and Lead to Stored Cross Site Scripting in GitHub repository openemr/openemr prior to 6.0.
5.4MEDIUM
 CVE-2022-1178
< 6.0.0.4
Stored Cross Site Scripting in GitHub repository openemr/openemr prior to 6.0.0.4.
5.4MEDIUM
 CVE-2022-1177
< 6.1.0
Accounting User Can Download Patient Reports in openemr in GitHub repository openemr/openemr prior to 6.1.0.
4.3MEDIUM
 CVE-2022-24643
all versions
A stored cross-site scripting (XSS) issue was discovered in the OpenEMR Hospital Information Management System version 6.0.0.
5.4MEDIUM
 CVE-2022-25041
all versions
OpenEMR v6.0.0 was discovered to contain an incorrect access control issue.
4.3MEDIUM
 CVE-2022-25471
all versions
An Insecure Direct Object Reference (IDOR) vulnerability in OpenEMR 6.0.0 allows any authenticated attacker to access and modify u
8.1HIGH
 CVE-2021-41843
all versions
An authenticated SQL injection issue in the calendar search function of OpenEMR 6.0.0 before patch 3 allows an attacker to read da
6.5MEDIUM
 CVE-2021-40352
all versions
OpenEMR 6.0.0 has a pnotes_print.php?noteid= Insecure Direct Object Reference vulnerability via which an attacker can read the mes
6.5MEDIUM
 CVE-2021-25923
>= 5.0.0 and <= 6.0.0.1
In OpenEMR, versions 5.0.0 to 6.0.0.1 are vulnerable to weak password requirements as it does not enforce a maximum password lengt
8.1HIGH
 CVE-2021-32104
all versions
A SQL injection vulnerability exists (with user privileges) in interface/forms/eye_mag/save.php in OpenEMR 5.0.2.1.
8.8HIGH
 CVE-2021-32103
<= 5.0.2.1
A Stored XSS vulnerability in interface/usergroup/usergroup_admin.php in OpenEMR before 5.0.2.1 allows a admin authenticated user
4.8MEDIUM
 CVE-2021-32102
all versions
A SQL injection vulnerability exists (with user privileges) in library/custom_template/ajax_code.php in OpenEMR 5.0.2.1.
8.8HIGH
 CVE-2021-32101
all versions
The Patient Portal of OpenEMR 5.0.2.1 is affected by a incorrect access control system in portal/patient/_machine_config.php. To e
8.2HIGH
 CVE-2020-13568
all versions
SQL injection vulnerability exists in phpGACL 3.3.7. A specially crafted HTTP request can lead to a SQL injection. An attacker can
8.8HIGH
 CVE-2020-13566
all versions
SQL injection vulnerabilities exist in phpGACL 3.3.7. A specially crafted HTTP request can lead to a SQL injection. An attacker ca
8.8HIGH
 CVE-2021-25922
>= 4.2.0 and <= 6.0.0
In OpenEMR, versions 4.2.0 to 6.0.0 are vulnerable to Reflected Cross-Site-Scripting (XSS) due to user input not being validated p
6.1MEDIUM
 CVE-2021-25921
>= 2.7.3 and <= 6.0.0
In OpenEMR, versions 2.7.3-rc1 to 6.0.0 are vulnerable to Stored Cross-Site-Scripting (XSS) due to user input not being validated
5.4MEDIUM
 CVE-2021-25920
>= 2.7.2 and <= 6.0.0
In OpenEMR, versions v2.7.2-rc1 to 6.0.0 are vulnerable to Improper Access Control when creating a new user, which leads to a mali
6.5MEDIUM
 CVE-2021-25919
>= 5.0.2 and <= 6.0.0
In OpenEMR, versions 5.0.2 to 6.0.0 are vulnerable to Stored Cross-Site-Scripting (XSS) due to user input not being validated prop
4.8MEDIUM
 CVE-2021-25918
>= 5.0.2 and <= 6.0.0
In OpenEMR, versions 5.0.2 to 6.0.0 are vulnerable to Stored Cross-Site-Scripting (XSS) due to user input not being validated prop
4.8MEDIUM
 CVE-2021-25917
>= 5.0.2 and <= 6.0.0
In OpenEMR, versions 5.0.2 to 6.0.0 are vulnerable to Stored Cross-Site-Scripting (XSS) due to user input not being validated prop
4.8MEDIUM
 CVE-2020-29143
< 5.0.2.5
A SQL injection vulnerability in interface/reports/non_reported.php in OpenEMR before 5.0.2.5 allows a remote authenticated attack
7.2HIGH
 CVE-2020-29140
< 5.0.2.5
A SQL injection vulnerability in interface/reports/immunization_report.php in OpenEMR before 5.0.2.5 allows a remote authenticated
7.2HIGH
 CVE-2020-29139
< 5.0.2.5
A SQL injection vulnerability in interface/main/finder/patient_select.php from library/patient.inc in OpenEMR before 5.0.2.5 allow
7.2HIGH
 CVE-2020-29142
< 5.0.2.5
A SQL injection vulnerability in interface/usergroup/usergroup_admin.php in OpenEMR before 5.0.2.5 allows a remote authenticated a
7.2HIGH
 CVE-2020-13565
all versions
An open redirect vulnerability exists in the return_page redirection functionality of phpGACL 3.3.7, OpenEMR 5.0.2 and OpenEMR dev
6.1MEDIUM
 CVE-2020-36243
all versions
The Patient Portal of OpenEMR 5.0.2.1 is affected by a Command Injection vulnerability in /interface/main/backup.php. To exploit t
8.8HIGH
 CVE-2020-13564
all versions
A cross-site scripting vulnerability exists in the template functionality of phpGACL 3.3.7. A specially crafted HTTP request can l
6.1MEDIUM
 CVE-2020-13563
all versions
A cross-site scripting vulnerability exists in the template functionality of phpGACL 3.3.7. A specially crafted HTTP request can l
6.1MEDIUM
 CVE-2020-13562
all versions
A cross-site scripting vulnerability exists in the template functionality of phpGACL 3.3.7. A specially crafted HTTP request can l
6.1MEDIUM
 CVE-2020-13569
all versions
A cross-site request forgery vulnerability exists in the GACL functionality of OpenEMR 5.0.2 and development version 6.0.0 (commit
8.8HIGH
 CVE-2020-19364
all versions
OpenEMR 5.0.1 allows an authenticated attacker to upload and execute malicious PHP scripts through /controller.php.
8.8HIGH
 CVE-2018-16795
all versions
OpenEMR 5.0.1.3 allows Cross-Site Request Forgery (CSRF) via library/ajax and interface/super, as demonstrated by use of interface
8.8HIGH
 CVE-2019-16404
>= 5.0.1 and <= 5.0.2
Authenticated SQL Injection in interface/forms/eye_mag/js/eye_base.php in OpenEMR through 5.0.2 allows a user to extract arbitrary
8.8HIGH
 CVE-2019-17409
>= 5.0.1 and < 5.0.2.1
Reflected XSS exists in interface/forms/eye_mag/view.php in OpenEMR 5.x before 5.0.2.1 ia the id parameter.
6.1MEDIUM
 CVE-2019-16862
>= 5.0.0 and < 5.0.2.1
Reflected XSS in interface/forms/eye_mag/view.php in OpenEMR 5.x before 5.0.2.1 allows a remote attacker to execute arbitrary code
6.1MEDIUM
 CVE-2019-17197
<= 5.0.2
OpenEMR through 5.0.2 has SQL Injection in the Lifestyle demographic filter criteria in library/clinical_rules.php that affects li
9.8CRITICAL
 CVE-2019-17179
<= 5.0.2
4.1.0, 4.1.1, 4.1.2, 4.1.2.3, 4.1.2.6, 4.1.2.7, 4.2.0, 4.2.1, 4.2.2, 5.0.0, 5.0.0.5, 5.0.0.6, 5.0.1, 5.0.1.1, 5.0.1.2, 5.0.1.3, 5.
6.1MEDIUM
 CVE-2019-8368
all versions
OpenEMR v5.0.1-6 allows XSS.
6.1MEDIUM
 CVE-2019-8371
all versions
OpenEMR v5.0.1-6 allows code execution.
7.2HIGH
 CVE-2019-3968
<= 5.0.1
In OpenEMR 5.0.1 and earlier, an authenticated attacker can execute arbitrary commands on the host system via the Scanned Forms in
8.8HIGH
 CVE-2019-3967
<= 5.0.1
In OpenEMR 5.0.1 and earlier, the patient file download interface contains a directory traversal flaw that allows authenticated at
6.5MEDIUM
 CVE-2019-3966
<= 5.0.1
In OpenEMR 5.0.1 and earlier, controller.php contains a reflected XSS vulnerability in the foreign_id parameter. This could allow
6.1MEDIUM
 CVE-2019-3965
<= 5.0.1
In OpenEMR 5.0.1 and earlier, controller.php contains a reflected XSS vulnerability in the document_id parameter. This could allow
6.1MEDIUM
 CVE-2019-3964
<= 5.0.1
In OpenEMR 5.0.1 and earlier, controller.php contains a reflected XSS vulnerability in the doc_id parameter. This could allow an a
6.1MEDIUM
 CVE-2019-3963
<= 5.0.1
In OpenEMR 5.0.1 and earlier, controller.php contains a reflected XSS vulnerability in the patient_id parameter. This could allow
6.1MEDIUM
 CVE-2019-14530
< 5.0.2
An issue was discovered in custom/ajax_download.php in OpenEMR before 5.0.2 via the fileName parameter. An attacker can download a
8.8HIGH
 CVE-2019-14529
< 5.0.2
OpenEMR before 5.0.2 allows SQL Injection in interface/forms/eye_mag/save.php.
9.8CRITICAL
 CVE-2018-17181
< 5.0.1.7
An issue was discovered in OpenEMR before 5.0.1 Patch 7. SQL Injection exists in the SaveAudit function in /portal/lib/paylib.php
9.8CRITICAL
 CVE-2018-17180
< 5.0.1.7
An issue was discovered in OpenEMR before 5.0.1 Patch 7. Directory Traversal exists via docid=../ to /portal/lib/download_template
5.3MEDIUM
 CVE-2018-17179
< 5.0.1.7
An issue was discovered in OpenEMR before 5.0.1 Patch 7. There is SQL Injection in the make_task function in /interface/forms/eye_
9.8CRITICAL
 CVE-2018-18035
< 5.0.1.6
A vulnerability in flashcanvas.swf in OpenEMR before 5.0.1 Patch 6 could allow an unauthenticated, remote attacker to conduct a cr
6.1MEDIUM
 CVE-2018-1000219
all versions
OpenEMR version v5_0_1_4 contains a Cross Site Scripting (XSS) vulnerability in The 'scan' parameter in line #41 of interface/fax/
5.4MEDIUM
 CVE-2018-1000218
all versions
OpenEMR version v5_0_1_4 contains a Cross Site Scripting (XSS) vulnerability in The 'file' parameter in line #43 of interface/fax/
5.4MEDIUM
 CVE-2018-15156
< 5.0.1.4
OS command injection occurring in versions of OpenEMR before 5.0.1.4 allows a remote authenticated attacker to execute arbitrary c
8.8HIGH
 CVE-2018-15155
< 5.0.1.4
OS command injection occurring in versions of OpenEMR before 5.0.1.4 allows a remote authenticated attacker to execute arbitrary c
8.8HIGH
 CVE-2018-15154
< 5.0.1.4
OS command injection occurring in versions of OpenEMR before 5.0.1.4 allows a remote authenticated attacker to execute arbitrary c
8.8HIGH
 CVE-2018-15153
< 5.0.1.4
OS command injection occurring in versions of OpenEMR before 5.0.1.4 allows a remote authenticated attacker to execute arbitrary c
8.8HIGH
 CVE-2018-15152
< 5.0.1.4
Authentication bypass vulnerability in portal/account/register.php in versions of OpenEMR before 5.0.1.4 allows a remote attacker
9.1CRITICAL
 CVE-2018-15151
<= 5.0.1.3
SQL injection vulnerability in interface/de_identification_forms/find_code_popup.php in versions of OpenEMR before 5.0.1.4 allows
8.8HIGH
 CVE-2018-15150
<= 5.0.1.3
SQL injection vulnerability in interface/de_identification_forms/de_identification_screen2.php in versions of OpenEMR before 5.0.1
8.8HIGH
 CVE-2018-15149
<= 5.0.1.3
SQL injection vulnerability in interface/forms/eye_mag/php/Anything_simple.php from library/forms.inc in versions of OpenEMR befor
8.8HIGH
 CVE-2018-15148
<= 5.0.1.3
SQL injection vulnerability in interface/patient_file/encounter/search_code.php in versions of OpenEMR before 5.0.1.4 allows a rem
8.8HIGH
 CVE-2018-15147
<= 5.0.1.3
SQL injection vulnerability in interface/forms_admin/forms_admin.php from library/registry.inc in versions of OpenEMR before 5.0.1
8.8HIGH
 CVE-2018-15146
<= 5.0.1.3
SQL injection vulnerability in interface/de_identification_forms/find_immunization_popup.php in versions of OpenEMR before 5.0.1.4
8.8HIGH
 CVE-2018-15145
< 5.0.1.4
Multiple SQL injection vulnerabilities in portal/add_edit_event_user.php in versions of OpenEMR before 5.0.1.4 allow a remote atta
9.8CRITICAL
 CVE-2018-15144
< 5.0.1.4
SQL injection vulnerability in interface/de_identification_forms/find_drug_popup.php in versions of OpenEMR before 5.0.1.4 allows
8.8HIGH
 CVE-2018-15143
< 5.0.1.4
Multiple SQL injection vulnerabilities in portal/find_appt_popup_user.php in versions of OpenEMR before 5.0.1.4 allow a remote att
9.8CRITICAL
 CVE-2018-15142
< 5.0.1.4
Directory traversal in portal/import_template.php in versions of OpenEMR before 5.0.1.4 allows a remote attacker authenticated in
8.8HIGH
 CVE-2018-15141
< 5.0.1.4
Directory traversal in portal/import_template.php in versions of OpenEMR before 5.0.1.4 allows a remote attacker authenticated in
6.5MEDIUM
 CVE-2018-15140
< 5.0.1.4
Directory traversal in portal/import_template.php in versions of OpenEMR before 5.0.1.4 allows a remote attacker authenticated in
6.5MEDIUM
 CVE-2018-15139
< 5.0.1.4
Unrestricted file upload in interface/super/manage_site_files.php in versions of OpenEMR before 5.0.1.4 allows a remote authentica
8.8HIGH
 CVE-2018-9250
< 5.0.1.1
interface\super\edit_list.php in OpenEMR before v5_0_1_1 allows remote authenticated users to execute arbitrary SQL commands via t
8.8HIGH
 CVE-2018-10573
< 5.0.1
interface/fax/fax_dispatch.php in OpenEMR before 5.0.1 allows remote authenticated users to bypass intended access restrictions vi
8.8HIGH
 CVE-2018-10572
< 5.0.1
interface/patient_file/letter.php in OpenEMR before 5.0.1 allows remote authenticated users to bypass intended access restrictions
6.5MEDIUM
 CVE-2018-10571
< 5.0.1
Multiple reflected cross-site scripting (XSS) vulnerabilities in OpenEMR before 5.0.1 allow remote attackers to inject arbitrary w
6.1MEDIUM
 CVE-2018-1000020
all versions
OpenEMR version 5.0.0 contains a Cross Site Scripting (XSS) vulnerability in open-flash-chart.swf and _posteddata.php that can res
6.1MEDIUM
 CVE-2018-1000019
all versions
OpenEMR version 5.0.0 contains a OS Command Injection vulnerability in fax_dispatch.php that can result in OS command injection by
8.8HIGH
 CVE-2017-1000241
<= 5.0.1
The application OpenEMR version 5.0.0, 5.0.1-dev and prior is affected by vertical privilege escalation vulnerability. This vulner
8.1HIGH
 CVE-2017-1000240
<= 5.0.0
The application OpenEMR is affected by multiple reflected & stored Cross-Site Scripting (XSS) vulnerabilities affecting version 5.
5.4MEDIUM
 CVE-2017-16540
< 5.0.0
OpenEMR before 5.0.0 Patch 5 allows unauthenticated remote database copying because setup.php exposes functionality for cloning an
7.5HIGH
 CVE-2017-12064
all versions
The csv_log_html function in library/edihistory/edih_csv_inc.php in OpenEMR 5.0.0 and prior allows attackers to bypass intended ac
7.5HIGH
 CVE-2017-9380
<= 5.0.0
OpenEMR 5.0.0 and prior allows low-privilege users to upload files of dangerous types which can result in arbitrary code execution
8.8HIGH
 CVE-2017-6394
all versions
Multiple Cross-Site Scripting (XSS) issues were discovered in OpenEMR 5.0.0 and 5.0.1-dev. The vulnerabilities exist due to insuff
6.1MEDIUM
 CVE-2015-4453
all versions
interface/globals.php in OpenEMR 2.x, 3.x, and 4.x before 4.2.0 patch 2 allows remote attackers to bypass authentication and obtai
 CVE-2014-5462
<= 4.1.2
Multiple SQL injection vulnerabilities in OpenEMR 4.1.2 (Patch 7) and earlier allow remote authenticated users to execute arbitrar
 CVE-2013-4620
all versions
Cross-site scripting (XSS) vulnerability in interface/main/onotes/office_comments_full.php in OpenEMR 4.1.1 allows remote attacker
 CVE-2013-4619
all versions
Multiple SQL injection vulnerabilities in OpenEMR 4.1.1 allow remote authenticated users to execute arbitrary SQL commands via the
 CVE-2012-2115
<= 4.1.0
SQL injection vulnerability in interface/login/validateUser.php in OpenEMR 4.1.0 and possibly earlier allows remote attackers to e
 CVE-2011-5161
all versions
Unrestricted file upload vulnerability in the patient photograph functionality in OpenEMR 4 allows remote attackers to execute arb
 CVE-2011-5160
all versions
Cross-site scripting (XSS) vulnerability in setup.php in OpenEMR 4 allows remote attackers to inject arbitrary web script or HTML
 CVE-2012-0992
all versions
interface/fax/fax_dispatch.php in OpenEMR 4.1.0 allows remote authenticated users to execute arbitrary commands via shell metachar
 CVE-2012-0991
all versions
Multiple directory traversal vulnerabilities in OpenEMR 4.1.0 allow remote authenticated users to read arbitrary files via a .. (d
 CVE-2007-0649
<= 2.8.2
Variable overwrite vulnerability in interface/globals.php in OpenEMR 2.8.2 and earlier allows remote attackers to overwrite arbitr
 CVE-2006-5811
all versions
PHP remote file inclusion vulnerability in library/translation.inc.php in OpenEMR 2.8.1, with register_globals enabled, allows rem
 CVE-2006-5795
<= 2.8.1
Multiple PHP remote file inclusion vulnerabilities in OpenEMR 2.8.1 and earlier, when register_globals is enabled, allow remote at
 CVE-2006-2929
<= 2.8.1
PHP remote file inclusion vulnerability in contrib/forms/evaluation/C_FormEvaluation.class.php in OpenEMR 2.8.1 and earlier, when
Vulnerabilities
CISA KEV catalog
CWE weaknesses
CAPEC attack patterns
Package vulnerabilities
Threat intelligence
Threat actors
Tools & malware
ATT&CK techniques
IOCs
Detection & defense
Sigma rules
YARA rules
Atomic Red Team tests
D3FEND countermeasures
Compliance
NIST 800-53
ISO 27001:2022
SOC 2 TSC
PCI-DSS v4.0
CIS Controls v8.1
About
All capabilities
Live statistics
Data sources
Privacy policy
Terms of service
threatengine.sh  ·  Open-source threat intelligence platform  ·  100+ authoritative sources  ·  Every fact traces to its origin