Description
OpenEMR is a free and open source electronic health records and medical practice management application. Versions prior to 8.0.0 contain a SQL injection vulnerability in prescription that can be exploited by authenticated attackers. The vulnerability exists due to insufficient input validation in the prescription listing functionality. Version 8.0.0 fixes the vulnerability.
Published: 2026-02-25
Score: 8.8 High
EPSS: < 1% Very Low
KEV: No
Impact: SQL injection (data compromise)
Action: Immediate Patch
AI Analysis

Impact

The vulnerability in OpenEMR is a SQL injection flaw in the prescription listing feature, allowing authenticated attackers to inject arbitrary SQL statements. By exploiting insufficient input validation, an attacker can read, modify, or delete patient data, potentially compromising confidentiality, integrity, and availability of the information in the database.

Affected Systems

All OpenEMR installations running versions prior to 8.0.0 are affected, including the standard OpenEMR 7.x series. The issue resides in the prescription controller module, which is part of the default OpenEMR application delivered by the primary vendor openemr:openemr.

Risk and Exploitability

The severity is high, with a CVSS score of 8.8, but the EPSS indicates a very low exploitation probability (<1%) and the vulnerability is not listed in the CISA KEV catalog. Exploitation requires authenticated access, so environments with weak account controls or widespread user privileges are more at risk, while isolated or tightly controlled deployments may experience a lower likelihood of attack.

Generated by OpenCVE AI on April 17, 2026 at 15:01 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Upgrade OpenEMR to version 8.0.0 or later, which removes the vulnerable code paths.
  • If an upgrade cannot be performed immediately, disable or restrict the prescription listing functionality to only users with the highest privilege levels.
  • Implement input validation or replace all unparameterized queries in the prescription module with parameterized statements to prevent SQL injection.
  • Monitor database logs for unusual queries originating from the prescription component and investigate any anomalies.

Generated by OpenCVE AI on April 17, 2026 at 15:01 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Fri, 27 Feb 2026 14:45:00 +0000

Type Values Removed Values Added
First Time appeared Open-emr
Open-emr openemr
CPEs cpe:2.3:a:open-emr:openemr:*:*:*:*:*:*:*:*
Vendors & Products Open-emr
Open-emr openemr

Thu, 26 Feb 2026 13:30:00 +0000

Type Values Removed Values Added
First Time appeared Openemr
Openemr openemr
Vendors & Products Openemr
Openemr openemr

Wed, 25 Feb 2026 19:15:00 +0000

Type Values Removed Values Added
Description OpenEMR is a free and open source electronic health records and medical practice management application. Versions prior to 8.0.0 contain a SQL injection vulnerability in prescription that can be exploited by authenticated attackers. The vulnerability exists due to insufficient input validation in the prescription listing functionality. Version 8.0.0 fixes the vulnerability.
Title OpenEMR has SQL Injection Vulnerability
Weaknesses CWE-89
References
Metrics cvssV3_1

{'score': 8.8, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H'}

Subscriptions

Open-emr Openemr
Openemr Openemr
cve-icon MITRE

Status: PUBLISHED

Assigner: GitHub_M

Published:

Updated: 2026-02-26T20:54:39.616Z

Reserved: 2026-02-05T16:48:00.429Z

Link: CVE-2026-25746

cve-icon Vulnrichment

No data.

cve-icon NVD

Status : Analyzed

Published: 2026-02-25T19:43:22.540

Modified: 2026-02-27T14:40:01.670

Link: CVE-2026-25746

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-04-17T15:15:21Z

Weaknesses