Open Emr Openemr
Don't miss out!
Thousands of developers use stack.watch to stay informed.Get an email whenever new security vulnerabilities are reported in Open Emr Openemr.
By the Year
In 2025 there have been 7 vulnerabilities in Open Emr Openemr with an average score of 6.1 out of ten. Last year, in 2024 Openemr had 3 security vulnerabilities published. That is, 4 more vulnerabilities have already been reported in 2025 as compared to last year. However, the average CVE base score of the vulnerabilities in 2025 is greater by 1.28.
Year | Vulnerabilities | Average Score |
---|---|---|
2025 | 7 | 6.08 |
2024 | 3 | 4.80 |
2023 | 14 | 6.55 |
2022 | 29 | 6.22 |
2021 | 25 | 6.90 |
2020 | 0 | 0.00 |
2019 | 19 | 7.34 |
2018 | 26 | 8.15 |
It may take a day or so for new Openemr vulnerabilities to show up in the stats or in the list of recent security vulnerabilties. Additionally vulnerabilities may be tagged under a different product or component name.
Recent Open Emr Openemr Security Vulnerabilities
OpenEMR 7.0.2 is vulnerable to SQL Injection
CVE-2024-22611
- April 03, 2025
OpenEMR 7.0.2 is vulnerable to SQL Injection via \openemr\library\classes\Pharmacy.class.php, \controllers\C_Pharmacy.class.php and \openemr\controller.php.
OpenEMR is a free and open source electronic health records and medical practice management application
CVE-2025-31121
5.4 - Medium
- April 01, 2025
OpenEMR is a free and open source electronic health records and medical practice management application. Prior to 7.0.3.1, the Patient Image feature in OpenEMR is vulnerable to cross-site scripting attacks via the EXIF title in an image. This vulnerability is fixed in 7.0.3.1.
XSS
OpenEMR is a free and open source electronic health records and medical practice management application
CVE-2025-31117
7.5 - High
- March 31, 2025
OpenEMR is a free and open source electronic health records and medical practice management application. An Out-of-Band Server-Side Request Forgery (OOB SSRF) vulnerability was identified in OpenEMR, allowing an attacker to force the server to make unauthorized requests to external or internal resources. this attack does not return a direct response but can be exploited through DNS or HTTP interactions to exfiltrate sensitive information. This vulnerability is fixed in 7.0.3.1.
SSRF
OpenEMR is a free and open source electronic health records and medical practice management application
CVE-2025-29772
6.1 - Medium
- March 31, 2025
OpenEMR is a free and open source electronic health records and medical practice management application. The POST parameter hidden_subcategory is output to the page without being properly processed. This leads to a reflected cross-site scripting (XSS) vul;nerability in CAMOS new.php. This vulnerability is fixed in 7.0.3.
XSS
OpenEMR is a free and open source electronic health records and medical practice management application
CVE-2025-30161
5.4 - Medium
- March 31, 2025
OpenEMR is a free and open source electronic health records and medical practice management application. A stored XSS vulnerability in the Bronchitis form component of OpenEMR allows anyone who is able to edit a bronchitis form to steal credentials from administrators. This vulnerability is fixed in 7.0.3.
Basic XSS
OpenEMR is a free and open source electronic health records and medical practice management application
CVE-2025-30149
4.6 - Medium
- March 31, 2025
OpenEMR is a free and open source electronic health records and medical practice management application. OpenEMR allows reflected cross-site scripting (XSS) in the AJAX Script interface\super\layout_listitems_ajax.php via the target parameter. This vulnerability is fixed in 7.0.3.
XSS
OpenEMR is a free and open source electronic health records and medical practice management application
CVE-2025-29789
7.5 - High
- March 25, 2025
OpenEMR is a free and open source electronic health records and medical practice management application. Versions prior to 7.3.0 are vulnerable to Directory Traversal in the Load Code feature. Version 7.3.0 contains a patch for the issue.
Directory traversal
A stored cross-site scripting (XSS) vulnerability exists in openemr/openemr version 7.0.1
CVE-2024-0875
4.8 - Medium
- November 15, 2024
A stored cross-site scripting (XSS) vulnerability exists in openemr/openemr version 7.0.1. An attacker can inject malicious payloads into the 'inputBody' field in the Secure Messaging feature, which can then be sent to other users. When the recipient views the malicious message, the payload is executed, potentially compromising their account. This issue is fixed in version 7.0.2.1.
XSS
An issue in OpenEMR 7.0.2
CVE-2024-37734
- June 26, 2024
An issue in OpenEMR 7.0.2 allows a remote attacker to escalate privileges viaa crafted POST request using the noteid parameter.
An issue in open-emr before v.7.0.2
CVE-2024-26476
- February 28, 2024
An issue in open-emr before v.7.0.2 allows a remote attacker to escalate privileges via a crafted script to the formid parameter in the ereq_form.php component.
Cross-site Scripting (XSS) - Generic in GitHub repository openemr/openemr prior to 7.0.1.
CVE-2023-2948
6.1 - Medium
- May 28, 2023
Cross-site Scripting (XSS) - Generic in GitHub repository openemr/openemr prior to 7.0.1.
XSS
Cross-site Scripting (XSS) - Reflected in GitHub repository openemr/openemr prior to 7.0.1.
CVE-2023-2949
6.1 - Medium
- May 28, 2023
Cross-site Scripting (XSS) - Reflected in GitHub repository openemr/openemr prior to 7.0.1.
XSS
Improper Authorization in GitHub repository openemr/openemr prior to 7.0.1.
CVE-2023-2950
8.1 - High
- May 28, 2023
Improper Authorization in GitHub repository openemr/openemr prior to 7.0.1.
AuthZ
Improper Access Control in GitHub repository openemr/openemr prior to 7.0.1.
CVE-2023-2946
8.1 - High
- May 27, 2023
Improper Access Control in GitHub repository openemr/openemr prior to 7.0.1.
Authorization
Cross-site Scripting (XSS) - Stored in GitHub repository openemr/openemr prior to 7.0.1.
CVE-2023-2947
4.8 - Medium
- May 27, 2023
Cross-site Scripting (XSS) - Stored in GitHub repository openemr/openemr prior to 7.0.1.
XSS
Improper Input Validation in GitHub repository openemr/openemr prior to 7.0.1.
CVE-2023-2942
8.1 - High
- May 27, 2023
Improper Input Validation in GitHub repository openemr/openemr prior to 7.0.1.
Improper Input Validation
Code Injection in GitHub repository openemr/openemr prior to 7.0.1.
CVE-2023-2943
8.8 - High
- May 27, 2023
Code Injection in GitHub repository openemr/openemr prior to 7.0.1.
Code Injection
Improper Access Control in GitHub repository openemr/openemr prior to 7.0.1.
CVE-2023-2944
5.4 - Medium
- May 27, 2023
Improper Access Control in GitHub repository openemr/openemr prior to 7.0.1.
Authorization
Missing Authorization in GitHub repository openemr/openemr prior to 7.0.1.
CVE-2023-2945
5.4 - Medium
- May 27, 2023
Missing Authorization in GitHub repository openemr/openemr prior to 7.0.1.
AuthZ
Improper Access Control in GitHub repository openemr/openemr prior to 7.0.1.
CVE-2023-2674
4.3 - Medium
- May 12, 2023
Improper Access Control in GitHub repository openemr/openemr prior to 7.0.1.
Authorization
Cross-site Scripting (XSS) - Stored in GitHub repository openemr/openemr prior to 7.0.1.
CVE-2023-2566
4.8 - Medium
- May 08, 2023
Cross-site Scripting (XSS) - Stored in GitHub repository openemr/openemr prior to 7.0.1.
XSS
A Reflected Cross-site scripting (XSS) vulnerability in interface/forms/eye_mag/php/eye_mag_functions.php in OpenEMR < 7.0.0
CVE-2023-22972
5.4 - Medium
- February 22, 2023
A Reflected Cross-site scripting (XSS) vulnerability in interface/forms/eye_mag/php/eye_mag_functions.php in OpenEMR < 7.0.0 allows remote authenticated users to inject arbitrary web script or HTML via the REQUEST_URI.
XSS
A Local File Inclusion (LFI) vulnerability in interface/forms/LBF/new.php in OpenEMR < 7.0.0
CVE-2023-22973
8.8 - High
- February 22, 2023
A Local File Inclusion (LFI) vulnerability in interface/forms/LBF/new.php in OpenEMR < 7.0.0 allows remote authenticated users to execute code via the formname parameter.
Directory traversal
A Path Traversal in setup.php in OpenEMR < 7.0.0
CVE-2023-22974
7.5 - High
- February 22, 2023
A Path Traversal in setup.php in OpenEMR < 7.0.0 allows remote unauthenticated users to read arbitrary files by controlling a connection to an attacker-controlled MySQL server.
Files or Directories Accessible to External Parties
Cross-site Scripting (XSS) - Stored in GitHub repository openemr/openemr prior to 7.0.0.2.
CVE-2022-4733
4.8 - Medium
- December 27, 2022
Cross-site Scripting (XSS) - Stored in GitHub repository openemr/openemr prior to 7.0.0.2.
XSS
Cross-site Scripting (XSS) - Reflected in GitHub repository openemr/openemr prior to 7.0.0.2.
CVE-2022-4615
6.1 - Medium
- December 19, 2022
Cross-site Scripting (XSS) - Reflected in GitHub repository openemr/openemr prior to 7.0.0.2.
XSS
Improper Access Control in GitHub repository openemr/openemr prior to 7.0.0.2.
CVE-2022-4567
8.1 - High
- December 17, 2022
Improper Access Control in GitHub repository openemr/openemr prior to 7.0.0.2.
Authorization
Cross-site Scripting (XSS) - Reflected in GitHub repository openemr/openemr prior to 7.0.0.2.
CVE-2022-4502
6.1 - Medium
- December 15, 2022
Cross-site Scripting (XSS) - Reflected in GitHub repository openemr/openemr prior to 7.0.0.2.
XSS
Cross-site Scripting (XSS) - Generic in GitHub repository openemr/openemr prior to 7.0.0.2.
CVE-2022-4503
6.1 - Medium
- December 15, 2022
Cross-site Scripting (XSS) - Generic in GitHub repository openemr/openemr prior to 7.0.0.2.
XSS
Improper Input Validation in GitHub repository openemr/openemr prior to 7.0.0.2.
CVE-2022-4504
7.5 - High
- December 15, 2022
Improper Input Validation in GitHub repository openemr/openemr prior to 7.0.0.2.
Improper Input Validation
Authorization Bypass Through User-Controlled Key in GitHub repository openemr/openemr prior to 7.0.0.2.
CVE-2022-4505
4.3 - Medium
- December 15, 2022
Authorization Bypass Through User-Controlled Key in GitHub repository openemr/openemr prior to 7.0.0.2.
Insecure Direct Object Reference / IDOR
Unrestricted Upload of File with Dangerous Type in GitHub repository openemr/openemr prior to 7.0.0.2.
CVE-2022-4506
8.8 - High
- December 15, 2022
Unrestricted Upload of File with Dangerous Type in GitHub repository openemr/openemr prior to 7.0.0.2.
Unrestricted File Upload
Authorization Bypass Through User-Controlled Key in GitHub repository openemr/openemr prior to 7.0.0.1.
CVE-2022-2824
5.4 - Medium
- August 15, 2022
Authorization Bypass Through User-Controlled Key in GitHub repository openemr/openemr prior to 7.0.0.1.
Insecure Direct Object Reference / IDOR
Improper Restriction of Rendered UI Layers or Frames in GitHub repository openemr/openemr prior to 7.0.0.1.
CVE-2022-2734
5.4 - Medium
- August 09, 2022
Improper Restriction of Rendered UI Layers or Frames in GitHub repository openemr/openemr prior to 7.0.0.1.
Clickjacking
Missing Authorization in GitHub repository openemr/openemr prior to 7.0.0.1.
CVE-2022-2732
8.3 - High
- August 09, 2022
Missing Authorization in GitHub repository openemr/openemr prior to 7.0.0.1.
AuthZ
Cross-site Scripting (XSS) - Reflected in GitHub repository openemr/openemr prior to 7.0.0.1.
CVE-2022-2733
6.1 - Medium
- August 09, 2022
Cross-site Scripting (XSS) - Reflected in GitHub repository openemr/openemr prior to 7.0.0.1.
XSS
Cross-site Scripting (XSS) - Reflected in GitHub repository openemr/openemr prior to 7.0.0.1.
CVE-2022-2731
6.1 - Medium
- August 09, 2022
Cross-site Scripting (XSS) - Reflected in GitHub repository openemr/openemr prior to 7.0.0.1.
XSS
Authorization Bypass Through User-Controlled Key in GitHub repository openemr/openemr prior to 7.0.0.1.
CVE-2022-2730
6.5 - Medium
- August 09, 2022
Authorization Bypass Through User-Controlled Key in GitHub repository openemr/openemr prior to 7.0.0.1.
Insecure Direct Object Reference / IDOR
Cross-site Scripting (XSS) - DOM in GitHub repository openemr/openemr prior to 7.0.0.1.
CVE-2022-2729
5.4 - Medium
- August 09, 2022
Cross-site Scripting (XSS) - DOM in GitHub repository openemr/openemr prior to 7.0.0.1.
XSS
Data Access from Outside Expected Data Manager Component in GitHub repository openemr/openemr prior to 7.0.0.
CVE-2022-2493
8.1 - High
- July 22, 2022
Data Access from Outside Expected Data Manager Component in GitHub repository openemr/openemr prior to 7.0.0.
Cross-site Scripting (XSS) - Stored in GitHub repository openemr/openemr prior to 7.0.0.
CVE-2022-2494
5.4 - Medium
- July 22, 2022
Cross-site Scripting (XSS) - Stored in GitHub repository openemr/openemr prior to 7.0.0.
XSS
Non Privilege User can Enable or Disable Registered in GitHub repository openemr/openemr prior to 6.1.0.1.
CVE-2022-1461
6.5 - Medium
- April 25, 2022
Non Privilege User can Enable or Disable Registered in GitHub repository openemr/openemr prior to 6.1.0.1.
Insecure Direct Object Reference / IDOR
Non-Privilege User Can View Patients Disclosures in GitHub repository openemr/openemr prior to 6.1.0.1.
CVE-2022-1459
8.3 - High
- April 25, 2022
Non-Privilege User Can View Patients Disclosures in GitHub repository openemr/openemr prior to 6.1.0.1.
Insecure Direct Object Reference / IDOR
Stored XSS Leads To Session Hijacking in GitHub repository openemr/openemr prior to 6.1.0.1.
CVE-2022-1458
5.4 - Medium
- April 25, 2022
Stored XSS Leads To Session Hijacking in GitHub repository openemr/openemr prior to 6.1.0.1.
XSS
Multiple SQL injection vulnerabilities exist in phpGACL 3.3.7
CVE-2020-13567
9.8 - Critical
- April 18, 2022
Multiple SQL injection vulnerabilities exist in phpGACL 3.3.7. A specially crafted HTTP request can lead to a SQL injection. An attacker can send an HTTP request to trigger this vulnerability.
SQL Injection
Stored Cross Site Scripting in GitHub repository openemr/openemr prior to 6.0.0.4.
CVE-2022-1178
5.4 - Medium
- March 30, 2022
Stored Cross Site Scripting in GitHub repository openemr/openemr prior to 6.0.0.4.
XSS
Non-Privilege User Can Created New Rule and Lead to Stored Cross Site Scripting in GitHub repository openemr/openemr prior to 6.0.0.4.
CVE-2022-1179
5.4 - Medium
- March 30, 2022
Non-Privilege User Can Created New Rule and Lead to Stored Cross Site Scripting in GitHub repository openemr/openemr prior to 6.0.0.4.
XSS
Reflected Cross Site Scripting in GitHub repository openemr/openemr prior to 6.0.0.4.
CVE-2022-1180
3.5 - Low
- March 30, 2022
Reflected Cross Site Scripting in GitHub repository openemr/openemr prior to 6.0.0.4.
XSS
Stored Cross Site Scripting in GitHub repository openemr/openemr prior to 6.0.0.2.
CVE-2022-1181
5.4 - Medium
- March 30, 2022
Stored Cross Site Scripting in GitHub repository openemr/openemr prior to 6.0.0.2.
XSS
Accounting User Can Download Patient Reports in openemr in GitHub repository openemr/openemr prior to 6.1.0.
CVE-2022-1177
4.3 - Medium
- March 30, 2022
Accounting User Can Download Patient Reports in openemr in GitHub repository openemr/openemr prior to 6.1.0.
AuthZ
Stay on top of Security Vulnerabilities
Want an email whenever new vulnerabilities are published for Open Emr Openemr or by Open Emr? Click the Watch button to subscribe.
