80 matches found
CVE-2026-33918
OpenEMR is a free and open source electronic health records and medical practice management application. Prior to version 8.0.0.3, the billing file-download endpoint interface/billing/getclaimfile.php only verifies that the caller has a valid session and CSRF token, but does not check any ACL...
OpenEMR 安全漏洞
OpenEMR is a set of open-source medical management systems developed by the OpenEMR community. This system can be used for medical practice management, electronic medical records, prescription writing, and medical billing applications. Versions of OpenEMR prior to 8.0.0.3 contained security...
CVE-2026-33918
OpenEMR (prior to v8.0.0.3) has a permission flaw in the billing file-download endpoint interface/billing/get_claim_file.php where the endpoint only validates a valid session and CSRF token but does not enforce ACLs. This allowed any authenticated OpenEMR user, regardless of billing privileges, t...
EUVD-2026-16034
OpenEMR is a free and open source electronic health records and medical practice management application. Prior to version 8.0.0.3, the billing file-download endpoint interface/billing/getclaimfile.php only verifies that the caller has a valid session and CSRF token, but does not check any ACL...
CVE-2026-33918 OpenEMR Missing Authorization on Claim File Download Endpoint
OpenEMR is a free and open source electronic health records and medical practice management application. Prior to version 8.0.0.3, the billing file-download endpoint interface/billing/getclaimfile.php only verifies that the caller has a valid session and CSRF token, but does not check any ACL...
CVE-2026-33918
OpenEMR is a free and open source electronic health records and medical practice management application. Prior to version 8.0.0.3, the billing file-download endpoint interface/billing/getclaimfile.php only verifies that the caller has a valid session and CSRF token, but does not check any ACL...
CVE-2026-33918 OpenEMR Missing Authorization on Claim File Download Endpoint
OpenEMR is a free and open source electronic health records and medical practice management application. Prior to version 8.0.0.3, the billing file-download endpoint interface/billing/getclaimfile.php only verifies that the caller has a valid session and CSRF token, but does not check any ACL...
PT-2026-28147
OpenEMR is a free and open source electronic health records and medical practice management application. Prior to version 8.0.0.3, the billing file-download endpoint interface/billing/get claim file.php only verifies that the caller has a valid session and CSRF token, but does not check any ACL...
CVE-2026-33305
OpenEMR (prior to 8.0.0.2) exposes an authorization bypass in the optional FaxSMS app: the AppDispatch constructor dispatches user-controlled actions, allowing any authenticated user to invoke controller methods (e.g., getNotificationLog) and access PHI without the required ACLs. The issue affect...
CVE-2026-33305 OpenEMR has Authorization Bypass in FaxSMS AppDispatch Constructor
OpenEMR is a free and open source electronic health records and medical practice management application. Prior to 8.0.0.2, an authorization bypass in the optional FaxSMS module oe-module-faxsms allows any authenticated OpenEMR user to invoke controller methods — including getNotificationLog, whic...
CVE-2026-24898 OpenEMR has an Unauthenticated MedEx Token Disclosure
OpenEMR is a free and open source electronic health records and medical practice management application. Prior to 8.0.0, an unauthenticated token disclosure vulnerability in the MedEx callback endpoint allows any unauthenticated visitor to obtain the practice's MedEx API tokens, leading to comple...
OpenEMR 授权问题漏洞
OpenEMR is a set of open-source medical management systems developed by the OpenEMR community. This system can be used for medical practice management, electronic medical records, prescription writing, and medical billing applications. Versions of OpenEMR prior to 8.0.0 contained vulnerabilities...
CVE-2026-24908
OpenEMR is a free and open source electronic health records and medical practice management application. Prior to version 8.0.0, an SQL injection vulnerability in the Patient REST API endpoint allows authenticated users with API access to execute arbitrary SQL queries through the sort parameter...
CVE-2025-67752
OpenEMR is a free and open source electronic health records and medical practice management application. Prior to version 7.0.4, OpenEMR's HTTP client wrapper oeHttp/oeHttpRequest disables SSL/TLS certificate verification by default verify: false, making all external HTTPS connections vulnerable ...
CVE-2026-23627
OpenEMR is a free and open source electronic health records and medical practice management application. Prior to version 8.0.0, an SQL injection vulnerability in the Immunization module allows any authenticated user to execute arbitrary SQL queries, leading to complete database compromise, PHI...
CVE-2026-25164 OpenEMR's Document and Insurance REST Endpoints Skip ACL
OpenEMR is a free and open source electronic health records and medical practice management application. Prior to version 8.0.0, the REST API route table in apis/routes/restroutesstandard.inc.php does not call RestConfig::requestauthorizationcheck for the document and insurance routes. Other...
CVE-2026-25164 OpenEMR's Document and Insurance REST Endpoints Skip ACL
OpenEMR is a free and open source electronic health records and medical practice management application. Prior to version 8.0.0, the REST API route table in apis/routes/restroutesstandard.inc.php does not call RestConfig::requestauthorizationcheck for the document and insurance routes. Other...
CVE-2026-24908 OpenEMR has SQL Injection in Patient API Sort Parameter
OpenEMR is a free and open source electronic health records and medical practice management application. Prior to version 8.0.0, an SQL injection vulnerability in the Patient REST API endpoint allows authenticated users with API access to execute arbitrary SQL queries through the sort parameter...
EUVD-2026-8701
OpenEMR is a free and open source electronic health records and medical practice management application. Prior to version 8.0.0, an authorization bypass vulnerability in the FHIR CareTeam resource endpoint allows patient-scoped FHIR tokens to access care team data for all patients instead of bein...
CVE-2025-67752
OpenEMR is a free and open source electronic health records and medical practice management application. Prior to version 7.0.4, OpenEMR's HTTP client wrapper oeHttp/oeHttpRequest disables SSL/TLS certificate verification by default verify: false, making all external HTTPS connections vulnerable ...