6.5
CVE-2026-25930 - OpenEMR's Printable LBF Endpoint Leaks Arbitrary Patient Forms
OpenEMR is a free and open source electronic health records and medical practice management application. Prior to version 8.0.0, the Layout-Based Form (LBF) printable view accepts `formid` and `visitid` (or `patientid`) from the request and does not verify that the form belongs to the current user’…
6.5
CVE-2026-25929 - OpenEMR Patient Picture Context Allows Arbitrary Patient Photo Retrieval
OpenEMR is a free and open source electronic health records and medical practice management application. Prior to version 8.0.0, the document controller’s `patient_picture` context serves the patient’s photo by document ID or patient ID without verifying that the current user is authorized to acces…
7.1
CVE-2026-25927 - OpenEMR Missing Authorization Checks in DICOM Viewer State API
OpenEMR is a free and open source electronic health records and medical practice management application. Prior to version 8.0.0, the DICOM viewer state API (e.g. upload or state save/load) accepts a document ID (`doc_id`) without verifying that the document belongs to the current user’s authorized…
8.8
CVE-2026-25746 - OpenEMR has SQL Injection Vulnerability
OpenEMR is a free and open source electronic health records and medical practice management application. Versions prior to 8.0.0 contain a SQL injection vulnerability in prescription that can be exploited by authenticated attackers. The vulnerability exists due to insufficient input validation in t…
7.2
CVE-2026-25743 - OpenEMR has Stored XSS in Questionnaire answers
OpenEMR is a free and open source electronic health records and medical practice management application. Prior to version 8.0.0, users with the "Forms administration" role can fill questionnaires ("forms") in patient encounters. The answers to the forms are displayed on the encounter page and in th…
4.9
CVE-2026-3221 - Devolutions Server Database Stores Unencrypted User Account Information
Sensitive user account information is not encrypted in the database in Devolutions Server 2025.3.14 and earlier, which allows an attacker with access to the database to obtain sensitive user information via direct database access.
7.5
CVE-2026-25476 - OpenEMR has Session Timeout Bypass via skip_timeout_reset
OpenEMR is a free and open source electronic health records and medical practice management application. Prior to version 8.0.0, the session expiration check in `library/auth.inc.php` runs only when `skip_timeout_reset` is not present in the request. When `skip_timeout_reset=1` is sent, the entire …
5.7
CVE-2026-25220 - OpenEMR Messages "Show All" Not Restricted to Admins
OpenEMR is a free and open source electronic health records and medical practice management application. Prior to version 8.0.0, the Message Center accepts the URL parameter `show_all=yes` and passes it to `getPnotesByUser()`, which returns all internal messages (all users’ notes). The backend does…
8.1
CVE-2026-25164 - OpenEMR's Document and Insurance REST Endpoints Skip ACL
OpenEMR is a free and open source electronic health records and medical practice management application. Prior to version 8.0.0, the REST API route table in `apis/routes/_rest_routes_standard.inc.php` does not call `RestConfig::request_authorization_check()` for the document and insurance routes. O…
10
CVE-2026-24908 - OpenEMR has SQL Injection in Patient API Sort Parameter
OpenEMR is a free and open source electronic health records and medical practice management application. Prior to version 8.0.0, an SQL injection vulnerability in the Patient REST API endpoint allows authenticated users with API access to execute arbitrary SQL queries through the `_sort` parameter.…