SB20260423161 - Multiple vulnerabilities in OpenEMR



SB20260423161 - Multiple vulnerabilities in OpenEMR

Published: April 23, 2026 Updated: April 30, 2026

Security Bulletin ID SB20260423161
CSH Severity
High
Patch available
YES
Number of vulnerabilities 7
Exploitation vector Remote access
Highest impact Code execution

Breakdown by Severity

High 14% Medium 43% Low 43%
  • Low
  • Medium
  • High
  • Critical

Description

This security bulletin contains information about 7 vulnerabilities.


1) Improper access control (CVE-ID: CVE-2025-67645)

CWE-ID: CWE-284 - Improper Access Control

CVSSv4: CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:U/U:Green


The vulnerability allows a remote user to modify another user's profile data.

The vulnerability exists due to improper access control in the profile edit endpoint when handling profile update requests. A remote user can modify the pid and pubpid parameters to modify another user's profile data.

If an administrator commits the unauthorized profile changes to the chart, this could enable account takeover.


2) Information disclosure (CVE-ID: CVE-2025-54373)

CWE-ID: CWE-200 - Exposure of sensitive information to an unauthorized actor

CVSSv4: CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:H/VI:N/VA:N/SC:N/SI:N/SA:N/E:U/U:Clear


The vulnerability allows a remote user to disclose sensitive information.

The vulnerability exists due to improper access control in the Clinical Notes and Care Plan forms when handling encounters marked with Sensitivity=high. A remote user can open an existing form for a restricted encounter to disclose sensitive information.

Only users without Sensitivities=high privilege are able to access the restricted form contents through these forms, while other forms mentioned in the advisory do not exhibit the same behavior.


3) Improper Certificate Validation (CVE-ID: CVE-2025-67752)

CWE-ID: CWE-295 - Improper Certificate Validation

CVSSv4: CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:U/U:Amber


The vulnerability allows a remote attacker to intercept, read, and modify encrypted communications.

The vulnerability exists due to improper certificate validation in the oeHttp and oeOAuth HTTP client wrappers when making external HTTPS requests. A remote attacker can perform a man-in-the-middle attack with a fake certificate to intercept, read, and modify encrypted communications.

The issue affects external service integrations including government healthcare APIs and OAuth flows, potentially exposing protected health information and tokens.


4) Cross-site scripting (CVE-ID: CVE-2025-68277)

CWE-ID: CWE-79 - Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')

CVSSv4: CVSS:4.0/AV:L/AC:L/AT:P/PR:N/UI:A/VC:N/VI:N/VA:N/SC:L/SI:L/SA:N/E:U/U:Clear


The vulnerability allows a local user to conduct phishing attacks.

The vulnerability exists due to improper neutralization of untrusted input in secure messaging link handling when rendering message content containing links. A local user can send a message containing a crafted link to conduct phishing attacks.

User interaction is required to click the link, and the linked site opens within the OpenEMR or Portal interface.


5) Improper Neutralization of Script-Related HTML Tags in a Web Page (Basic XSS) (CVE-ID: CVE-2025-67491)

CWE-ID: CWE-80 - Improper Neutralization of Script-Related HTML Tags in a Web Page (Basic XSS)

CVSSv4: CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:A/VC:H/VI:H/VA:N/SC:N/SI:N/SA:N/E:U/U:Clear


The vulnerability allows a remote user to execute arbitrary script code in a victim's browser.

The vulnerability exists due to improper neutralization of script-related html tags in interface/billing/ub04_helpers.php in the ub04 helper of the billing interface when handling stored user-supplied account name data in requests to the ub04_helpers.php endpoint. A remote user can update their own fname or lname value with a specially crafted payload to execute arbitrary script code in a victim's browser.

User interaction is required because a victim must access the interface/billing/ub04_helpers.php endpoint.


6) Path traversal (CVE-ID: CVE-2026-24849)

CWE-ID: CWE-22 - Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal')

CVSSv4: CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:U/U:Green


The vulnerability allows a remote user to disclose sensitive information.

The vulnerability exists due to improper access control and path traversal in the disposeDocument() method of the oe-module-faxsms EtherFaxActions controller when handling a user-supplied file_path parameter in a download request. A remote user can send a specially crafted request to disclose sensitive information.

Exploitation requires a valid account, the Fax SMS module to be enabled, and EtherFax to be configured as the fax provider.


7) Arbitrary file upload (CVE-ID: CVE-2026-24848)

CWE-ID: CWE-434 - Unrestricted Upload of File with Dangerous Type

CVSSv4: CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:U/U:Green


The vulnerability allows a remote user to execute arbitrary code.

The vulnerability exists due to improper access control in the disposeDocument() method in EtherFaxActions.php when handling crafted requests to write user-supplied content to a user-specified file path. A remote user can send a specially crafted request to execute arbitrary code.

Exploitation requires valid credentials, the Fax SMS module to be enabled, and EtherFax to be configured as the fax provider.


Remediation

Install update from vendor's website.