CVE-2026-25164

OpenEMR is a free and open source electronic health records and medical practice management application. Prior to version 8.0.0, the REST API route table in apis/routes/restroutesstandard.inc.php does not call RestConfig::requestauthorizationcheck for the document and insurance routes. Other...

CVE-2026-25164 OpenEMR's Document and Insurance REST Endpoints Skip ACL

OpenEMR is a free and open source electronic health records and medical practice management application. Prior to version 8.0.0, the REST API route table in apis/routes/restroutesstandard.inc.php does not call RestConfig::requestauthorizationcheck for the document and insurance routes. Other...

CVE-2026-25164

OpenEMR before version 8.0.0 exposed documents and insurance data via the REST API. The route table in apis/routes/_rest_routes_standard.inc.php did not call RestConfig::request_authorization_check() for the document and insurance endpoints, allowing any valid API bearer token to access or modify...

CVE-2026-25164

OpenEMR is a free and open source electronic health records and medical practice management application. Prior to version 8.0.0, the REST API route table in apis/routes/restroutesstandard.inc.php does not call RestConfig::requestauthorizationcheck for the document and insurance routes. Other...

CVE-2026-25164 OpenEMR's Document and Insurance REST Endpoints Skip ACL

OpenEMR is a free and open source electronic health records and medical practice management application. Prior to version 8.0.0, the REST API route table in apis/routes/restroutesstandard.inc.php does not call RestConfig::requestauthorizationcheck for the document and insurance routes. Other...

PT-2026-21975

Name of the Vulnerable Software and Affected Versions OpenEMR versions prior to 8.0.0 Description OpenEMR is an electronic health records and medical practice management application. Prior to version 8.0.0, the REST API route table in apis/routes/ rest routes standard.inc.php does not call...

CVE-2020-6268

Statutory Reporting for Insurance Companies in SAP ERP EA-FINSERV versions - 600, 603, 604, 605, 606, 616, 617, 618, 800 and S4CORE versions 101, 102, 103, 104 does not execute the required authorization checks for an authenticated user, allowing an attacker to view and tamper with certain...

A week in security (September 23 – 29)

Last week on Labs, we highlighted an Emotet campaign using Snowden’s new book as a lure, discussed how 15,000 webcams are vulnerable to attack, how insurance data security laws skirt political turmoil, and how the new iOS exploit checkm8 allows permanent compromise of iPhones. Other cybersecurity...

Insurance data security laws skirt political turmoil

Across the United States, a unique approach to lawmaking has proved radically successful in making data security stronger for one industry—insurance providers. The singular approach has entirely sidestepped the prolonged, political arguments that have become commonplace when trying to pass federa...