1754 matches found
EUVD-2026-16030
OpenEMR is a free and open source electronic health records and medical practice management application. Prior to version 8.0.0.3, five insurance company REST API routes are missing the RestConfig::requestauthorizationcheck call that every other data-modifying route in the standard API uses. This...
CVE-2026-33915
OpenEMR (open-source EHR/PM) has a vulnerability in versions prior to 8.0.0.3 where five insurance company REST API routes lack the RestConfig::request_authorization_check() check used by other data-modifying routes. This permits any authenticated API user to create or modify insurance company re...
CVE-2026-33913
OpenEMR is a free and open source electronic health records and medical practice management application. Prior to version 8.0.0.3, an authenticated user with access to the Carecoordination module can upload a crafted CCDA document containing to read arbitrary files from the server. Version 8.0.0....
CVE-2026-33912
OpenEMR is a free and open source electronic health records and medical practice management application. Prior to version 8.0.0.3, an authenticated attacker could craft a malicious form that, when submitted by a victim, executes arbitrary JavaScript in the victim's browser session. Version 8.0.0....
CVE-2026-33913 OpenEMR: XInclude Injection in CCDA Import Allows Reading Arbitrary Server Files
OpenEMR is a free and open source electronic health records and medical practice management application. Prior to version 8.0.0.3, an authenticated user with access to the Carecoordination module can upload a crafted CCDA document containing to read arbitrary files from the server. Version 8.0.0....
CVE-2026-33912
OpenEMR is a free and open source electronic health records and medical practice management application. Prior to version 8.0.0.3, an authenticated attacker could craft a malicious form that, when submitted by a victim, executes arbitrary JavaScript in the victim's browser session. Version 8.0.0....
CVE-2026-32120 OpenEMR has IDOR in Fee Sheet Product Save
OpenEMR is a free and open source electronic health records and medical practice management application. Prior to version 8.0.0.3, an Insecure Direct Object Reference IDOR vulnerability in the fee sheet product save logic library/FeeSheet.class.php allows any authenticated user with fee sheet ACL...
CVE-2026-32120
OpenEMR is a free and open source electronic health records and medical practice management application. Prior to version 8.0.0.3, an Insecure Direct Object Reference IDOR vulnerability in the fee sheet product save logic library/FeeSheet.class.php allows any authenticated user with fee sheet ACL...
CVE-2026-29187
OpenEMR has an authenticated blind boolean-based SQL injection vulnerability in the Patient Search feature (/interface/new/new_search_popup.php) present before version 8.0.0.3. The flaw allows an attacker to influence SQL logic by manipulating HTTP parameter keys, enabling arbitrary SQL commands....
CVE-2026-23971 WordPress WoodMart theme <= 8.3.8 - PHP Object Injection vulnerability
Deserialization of Untrusted Data vulnerability in xtemos WoodMart woodmart allows Object Injection.This issue affects WoodMart: from n/a through = 8.3.8...
CVE-2026-23971
CVE-2026-23971 concerns a Deserialization of Untrusted Data vulnerability in the WordPress WoodMart theme (WoodMart) affecting versions from unknown up to and including 8.3.8. The underlying issue is PHP Object Injection via untrusted data deserialization, with a high impact profile (CVSS 3.1: 8....
PT-2026-28156
OpenEMR is a free and open source electronic health records and medical practice management application. Prior to version 8.0.0.3, missing authorization in the AJAX deletion endpoint interface/forms/procedure order/handle deletions.php allows any authenticated user, regardless of role, to...
PT-2026-27843
CVE-2026-23971 Deserialization of Untrusted Data vulnerability in xtemos WoodMart woodmart allows Object Injection.This issue affects WoodMart: from n/a through = 8.3.8. https://t.co/0me4zW3qJ4...
PT-2026-28152
OpenEMR is a free and open source electronic health records and medical practice management application. Prior to version 8.0.0.3, a stored cross-site scripting vulnerability in the CCDA document preview allows an attacker who can upload or send a CCDA document to execute arbitrary JavaScript in ...
PT-2026-28141
Name of the Vulnerable Software and Affected Versions OpenEMR versions prior to 8.0.0.3 Description OpenEMR is an electronic health records and medical practice management application. Prior to version 8.0.0.3, the title POST parameter is reflected in a JSON response created using json encode. Du...
PT-2026-27875
Name of the Vulnerable Software and Affected Versions UpSolution Core versions through 8.41 Description The software contains a flaw due to improper neutralization of input during web page generation, leading to a Reflected Cross-Site Scripting XSS condition. This allows for the execution of...
CVE-2026-33498 Parse Server: Query condition depth bypass via pre-validation transform pipeline
Parse Server is an open source backend that can be deployed to any infrastructure that can run Node.js. Prior to versions 8.6.55 and 9.6.0-alpha.44, an attacker can send an unauthenticated HTTP request with a deeply nested query containing logical operators to permanently hang the Parse Server...
mysql: Optimizer unspecified vulnerability (CPU Jan 2026)
Oracle CPU describes the issue as following: Vulnerability in the MySQL Server product of Oracle MySQL component: Server: Optimizer. Supported versions that are affected are 8.0.0-8.0.44, 8.4.0-8.4.7 and 9.0.0-9.5.0. Easily exploitable vulnerability allows low privileged attacker with network...
EUVD-2025-208954
Census CSWeb 8.0.1 allows "app/config" to be reachable via HTTP in some deployments. A remote, unauthenticated attacker could send requests to configuration files and obtain leaked secrets. Fixed in 8.1.0 alpha...
CVE-2026-30661
iCMS v8.0.0 contains a Cross-Site Scripting XSS vulnerability in the User Management component, specifically within the index.html file. This allows remote attackers to execute arbitrary web script or HTML via the regip or loginip parameters...