CVE-2026-25220

OpenEMR is a free and open source electronic health records and medical practice management application. Prior to version 8.0.0, the Message Center accepts the URL parameter showall=yes and passes it to getPnotesByUser, which returns all internal messages all users’ notes. The backend does not...

CVE-2026-25220 OpenEMR Messages "Show All" Not Restricted to Admins

OpenEMR is a free and open source electronic health records and medical practice management application. Prior to version 8.0.0, the Message Center accepts the URL parameter showall=yes and passes it to getPnotesByUser, which returns all internal messages all users’ notes. The backend does not...

CVE-2026-25220 OpenEMR Messages "Show All" Not Restricted to Admins

OpenEMR is a free and open source electronic health records and medical practice management application. Prior to version 8.0.0, the Message Center accepts the URL parameter showall=yes and passes it to getPnotesByUser, which returns all internal messages all users’ notes. The backend does not...

CVE-2026-25220 OpenEMR Messages "Show All" Not Restricted to Admins

OpenEMR is a free and open source electronic health records and medical practice management application. Prior to version 8.0.0, the Message Center accepts the URL parameter showall=yes and passes it to getPnotesByUser, which returns all internal messages all users’ notes. The backend does not...

CVE-2026-25220

The CVE describes an access control flaw in OpenEMR prior to version 8.0.0 where the Message Center accepts the URL parameter show_all=yes and passes it to getPnotesByUser() without verifying admin rights. A non-admin, authenticated user could view the entire internal messages list by requesting ...

PT-2026-21976

Name of the Vulnerable Software and Affected Versions OpenEMR versions prior to 8.0.0 Description OpenEMR is an electronic health records and medical practice management application. Prior to version 8.0.0, the Message Center does not verify administrator privileges when handling the show all=yes...

CVE-2023-4708

A vulnerability was found in Infosoftbd Clcknshop 1.0.0. It has been rated as critical. This issue affects some unknown processing of the file /collection/all of the component GET Parameter Handler. The manipulation of the argument tag leads to sql injection. The attack may be initiated remotely...

CVE-2021-39420

Multiple Cross Site Scripting XSS vulnerabilities exist in VFront 0.99.5 via the 1 s parameter in searchall.php and the 2 msg parameter in add.attach.php...

Twonky Server Cross-Site Scripting Vulnerability

Twonky Server is the industry-leading DLNA/UPnP media server from Lynx Technology that enables the sharing of media content between connected devices. A cross-site scripting vulnerability exists in Twonky Server. A remote attacker can exploit this vulnerability to inject arbitrary web script or...

Twonky Server Directory Traversal Vulnerability

Twonky Server is the industry-leading DLNA/UPnP media server from Lynx Technology that enables the sharing of media content between connected devices. A directory traversal vulnerability exists in Twonky Server. A remote attacker could use the contentbase parameter of rpc/setall in the ... double...

LDF (Default.asp) Sql Injection Vulnerability

Product : LDF vendor : www.ldf.22.cn Vulnerable Versions : All Default.asp Page has an issue on validating "Page" parameter , It could be exploited by attacker & attacker can inject arbitrary Sql Commands http://www.example.com/ldf path/default.asp?page=SQL COMMAND...

CVE-2005-3432

MiniGal 2 MG2 0.5.1 allows remote attackers to list password protected images via a request to index.php with the list parameter set to wildcard and the page parameter set to all...