8.1
CVE-2026-34055 - OpenEMR has IDOR in Patient Notes Web UI allows unauthorized note access/modification
OpenEMR is a free and open source electronic health records and medical practice management application. Prior to version 8.0.0.3, the legacy patient notes functions in `library/pnotes.inc.php` perform updates and deletes using `WHERE id = ?` without verifying that the note belongs to a patient theโฆ
7.1
CVE-2026-34053 - OpenEMR Missing Authorization in Procedure Order AJAX Deletion Handler
OpenEMR is a free and open source electronic health records and medical practice management application. Prior to version 8.0.0.3, missing authorization in the AJAX deletion endpoint `interface/forms/procedure_order/handle_deletions.php` allows any authenticated user, regardless of role, to irreverโฆ
5.4
CVE-2026-34051 - OpenEMR has Improper ACL On Import/Export Popup
OpenEMR is a free and open source electronic health records and medical practice management application. Versions prior to 8.0.0.3 have an improper access control on the Import/Export functionality, allowing unauthorized users to perform import and export actions through direct request manipulationโฆ
4.3
CVE-2026-33934 - OpenEMR's Missing Authorization in show-signature.php Allows Portal Patients to Read Staff Signaturโฆ
OpenEMR is a free and open source electronic health records and medical practice management application. Versions prior to 8.0.0.3 have a missing authorization check in `portal/sign/lib/show-signature.php` that allows any authenticated patient portal user to retrieve the drawn signature image of anโฆ
6.1
CVE-2026-33933 - Reflected XSS via Unescaped contextName Parameter in Custom Template Editor
OpenEMR is a free and open source electronic health records and medical practice management application. Starting in version 7.0.2.1 and prior to version 8.0.0.3, a reflected cross-site scripting (XSS) vulnerability in the custom template editor allows an attacker to execute arbitrary JavaScript inโฆ
7.6
CVE-2026-33932 - OpenEMR has Stored XSS in CCDA Preview via Unsanitized linkHtml Attributes
OpenEMR is a free and open source electronic health records and medical practice management application. Prior to version 8.0.0.3, a stored cross-site scripting vulnerability in the CCDA document preview allows an attacker who can upload or send a CCDA document to execute arbitrary JavaScript in a โฆ
6.5
CVE-2026-33931 - OpenEMR has IDOR in Portal Payment Page that Allows Cross-Patient Record Access
OpenEMR is a free and open source electronic health records and medical practice management application. Prior to version 8.0.0.3, an Insecure Direct Object Reference (IDOR) vulnerability in the patient portal payment page allows any authenticated portal patient to access other patients' payment reโฆ
5.3
CVE-2026-4826 - SourceCodester Sales and Inventory System HTTP GET Parameter update_stock.php sql injection
A vulnerability was determined in SourceCodester Sales and Inventory System 1.0. This vulnerability affects unknown code of the file /update_stock.php of the component HTTP GET Parameter Handler. This manipulation of the argument sid causes sql injection. Remote exploitation of the attack is possibโฆ
7.6
CVE-2026-33918 - OpenEMR Missing Authorization on Claim File Download Endpoint
OpenEMR is a free and open source electronic health records and medical practice management application. Prior to version 8.0.0.3, the billing file-download endpoint `interface/billing/get_claim_file.php` only verifies that the caller has a valid session and CSRF token, but does not check any ACL pโฆ
8.8
CVE-2026-33917 - OpenEMR has SQL Injection in CAMOS Form
OpenEMR is a free and open source electronic health records and medical practice management application. Versions prior to 8.0.0.3 contais a SQL injection vulnerability in the ajax_save CAMOS form that can be exploited by authenticated attackers. The vulnerability exists due to insufficient input vโฆ