SB20260423173 - Multiple vulnerabilities in OpenEMR
Published: April 23, 2026 Updated: April 30, 2026
Breakdown by Severity
- Low
- Medium
- High
- Critical
Description
This security bulletin contains information about 16 vulnerabilities.
1) SQL injection (CVE-ID: CVE-2026-33909)
CWE-ID: CWE-89 - Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection')
CVSSv4: CVSS:4.0/AV:N/AC:L/AT:P/PR:H/UI:N/VC:H/VI:H/VA:N/SC:N/SI:N/SA:N/E:U/U:Clear
The vulnerability allows a remote user to execute arbitrary SQL commands.
The vulnerability exists due to improper neutralization of special elements used in an SQL command in the MedEx recall/reminder processing code when processing MedEx preference values or external MedEx API response data. A remote privileged user can supply crafted input that is concatenated into SQL queries to execute arbitrary SQL commands.
MedEx must be explicitly enabled, and exploitation depends on controlling MedEx preference data or the MedEx API connection.
2) Cross-site scripting (CVE-ID: CVE-2026-33348)
CWE-ID: CWE-79 - Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')
CVSSv4: CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:P/VC:N/VI:N/VA:N/SC:L/SI:L/SA:N/E:U/U:Clear
The vulnerability allows a remote user to execute arbitrary JavaScript in a victim's browser.
The vulnerability exists due to cross-site scripting in the Eye Exam form answer display function when rendering stored form answers for the $CHRONIC2 and $CHRONIC3 fields. A remote user can submit a crafted form payload to execute arbitrary JavaScript in a victim's browser.
User interaction is required when a user with the form role views the affected patient encounter, visit history, or print report.
3) Cross-site scripting (CVE-ID: CVE-2026-33911)
CWE-ID: CWE-79 - Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')
CVSSv4: CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:P/VC:N/VI:N/VA:N/SC:L/SI:L/SA:N/E:U/U:Clear
The vulnerability allows a remote user to execute arbitrary JavaScript in a victim's session.
The vulnerability exists due to cross-site scripting in graphs.php when handling a crafted POST request through the title parameter. A remote user can send a specially crafted request to execute arbitrary JavaScript in a victim's session.
The issue occurs because the reflected input is returned in a response served with a text/html content type, causing the browser to interpret injected HTML or script content.
4) Cross-site scripting (CVE-ID: CVE-2026-33912)
CWE-ID: CWE-79 - Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')
CVSSv4: CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:P/VC:N/VI:N/VA:N/SC:L/SI:L/SA:N/E:U/U:Clear
The vulnerability allows a remote user to execute arbitrary JavaScript in the victim's browser session.
The vulnerability exists due to cross-site scripting in custom/ajax_download.php when handling the reportID POST parameter. A remote user can submit a specially crafted form to execute arbitrary JavaScript in the victim's browser session.
User interaction is required to submit the crafted form.
5) XML External Entity injection (CVE-ID: CVE-2026-33913)
CWE-ID: CWE-611 - Improper Restriction of XML External Entity Reference ('XXE')
CVSSv4: CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:H/VI:N/VA:N/SC:L/SI:N/SA:N/E:U/U:Clear
The vulnerability allows a remote user to disclose sensitive information.
The vulnerability exists due to improper restriction of xml external entity reference in the CCDA import functionality in src/Services/Cda/XmlExtended.php when parsing uploaded CCDA XML with XInclude processing enabled. A remote user can upload a crafted CCDA document containing XInclude directives to disclose sensitive information.
Exploitation requires access to the Carecoordination module, and only instances with that module enabled are vulnerable.
6) SQL injection (CVE-ID: CVE-2026-33914)
CWE-ID: CWE-89 - Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection')
CVSSv4: CVSS:4.0/AV:N/AC:L/AT:N/PR:H/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:U/U:Clear
The vulnerability allows a remote user to execute arbitrary SQL commands.
The vulnerability exists due to improper neutralization of special elements used in an SQL command in the PostCalendar categoriesUpdate administrative function when handling the dels POST parameter. A remote privileged user can send a specially crafted POST parameter to execute arbitrary SQL commands.
The issue is blind and supports time-based data extraction.
7) Missing Authorization (CVE-ID: CVE-2026-33915)
CWE-ID: CWE-862 - Missing Authorization
CVSSv4: CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:L/VI:L/VA:N/SC:N/SI:N/SA:N/E:U/U:Clear
The vulnerability allows a remote user to modify insurance company records.
The vulnerability exists due to missing authorization in insurance company REST API routes when handling authenticated API requests to the insurance company endpoints. A remote user can send crafted API requests to modify insurance company records.
The affected routes also expose insurance company data and insurance types without the expected administrative ACL checks.
8) SQL injection (CVE-ID: CVE-2026-33917)
CWE-ID: CWE-89 - Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection')
CVSSv4: CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:U/U:Green
The vulnerability allows a remote user to execute arbitrary SQL commands.
The vulnerability exists due to SQL injection in the CAMOS ajax_save page and content_parser.php when processing the user-supplied content parameter. A remote user can send a specially crafted request to execute arbitrary SQL commands.
The issue affects the process_commands and addAppt code paths in the CAMOS form.
9) Missing Authorization (CVE-ID: CVE-2026-33918)
CWE-ID: CWE-862 - Missing Authorization
CVSSv4: CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:H/VI:L/VA:L/SC:N/SI:N/SA:N/E:U/U:Clear
The vulnerability allows a remote user to download sensitive claim batch files and permanently delete them.
The vulnerability exists due to missing authorization in interface/billing/get_claim_file.php when handling direct requests to the claim file download endpoint. A remote user can send a crafted request to download sensitive claim batch files and permanently delete them.
Claim batch filenames follow a predictable timestamp pattern, which makes enumeration straightforward.
10) Authorization bypass through user-controlled key (CVE-ID: CVE-2026-33931)
CWE-ID: CWE-639 - Authorization Bypass Through User-Controlled Key
CVSSv4: CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:H/VI:N/VA:N/SC:N/SI:N/SA:N/E:U/U:Clear
The vulnerability allows a remote user to disclose sensitive information.
The vulnerability exists due to authorization bypass through a user-controlled key in portal/portal_payment.php and getPortalAuditRec() when handling a recid query parameter. A remote user can manipulate the recid parameter to disclose sensitive information.
Sequential record identifiers can be enumerated, and affected responses may expose invoice and billing data as well as payment card metadata.
11) Cross-site scripting (CVE-ID: CVE-2026-33932)
CWE-ID: CWE-79 - Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')
CVSSv4: CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:P/VC:N/VI:N/VA:N/SC:L/SI:L/SA:N/E:U/U:Clear
The vulnerability allows a remote user to execute arbitrary JavaScript in a clinician's browser session.
The vulnerability exists due to improper neutralization of input during web page generation in the CCDA document preview XSL transformation for linkHtml attributes when processing a crafted CCDA document. A remote user can upload or send a crafted CCDA document containing javascript: URIs or event handler attributes to execute arbitrary JavaScript in a clinician's browser session.
User interaction is required when the document is previewed and the rendered link is clicked.
12) Cross-site scripting (CVE-ID: CVE-2026-33933)
CWE-ID: CWE-79 - Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')
CVSSv4: CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:A/VC:N/VI:N/VA:N/SC:L/SI:L/SA:N/E:U/U:Green
The vulnerability allows a remote attacker to execute arbitrary JavaScript in an authenticated staff member's browser session.
The vulnerability exists due to cross-site scripting in library/custom_template/custom_template.php when handling a crafted URL containing the contextName parameter. A remote attacker can send a specially crafted URL to execute arbitrary JavaScript in an authenticated staff member's browser session.
User interaction is required, and exploitation depends on the victim opening the crafted URL.
13) Authorization bypass through user-controlled key (CVE-ID: CVE-2026-33934)
CWE-ID: CWE-639 - Authorization Bypass Through User-Controlled Key
CVSSv4: CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:L/VI:N/VA:N/SC:N/SI:N/SA:N/E:U/U:Clear
The vulnerability allows a remote user to disclose sensitive information.
The vulnerability exists due to authorization bypass through a user-controlled key in portal/sign/lib/show-signature.php when handling portal requests with attacker-controlled user and type values. A remote user can send a specially crafted POST request to disclose sensitive information.
Only deployments with the patient portal enabled are vulnerable. When mode is set to fetch_info, the endpoint also returns the targeted staff member's full name.
14) SQL injection (CVE-ID: CVE-2026-33910)
CWE-ID: CWE-89 - Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection')
CVSSv4: CVSS:4.0/AV:N/AC:L/AT:N/PR:H/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:U/U:Clear
The vulnerability allows a remote user to execute arbitrary SQL commands.
The vulnerability exists due to improper neutralization of special elements used in an SQL command in the patient selection feature when processing database entries from the layout_options table during patient selection queries. A remote privileged user can insert a crafted payload into layout_options.field_id to execute arbitrary SQL commands.
The proof of concept uses /interface/super/edit_layout.php to place the payload before triggering the vulnerable query in getByPatientDemographics in library/patient.inc.php.
15) Authorization bypass through user-controlled key (CVE-ID: CVE-2026-32120)
CWE-ID: CWE-639 - Authorization Bypass Through User-Controlled Key
CVSSv4: CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:N/VI:H/VA:N/SC:N/SI:N/SA:N/E:U/U:Clear
The vulnerability allows a remote user to modify or delete arbitrary patients' drug sale records.
The vulnerability exists due to authorization bypass through a user-controlled key in the fee sheet product save logic in library/FeeSheet.class.php when processing user-supplied sale_id values from fee sheet form data. A remote user can submit a specially crafted fee sheet request with a manipulated hidden prod[][sale_id] field to modify or delete arbitrary patients' drug sale records.
The issue affects users with fee sheet ACL access, and sale_id values can be enumerated because they are auto-increment integers.
16) SQL injection (CVE-ID: CVE-2026-29187)
CWE-ID: CWE-89 - Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection')
CVSSv4: CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:H/VI:H/VA:N/SC:N/SI:N/SA:N/E:U/U:Green
The vulnerability allows a remote user to execute arbitrary SQL commands.
The vulnerability exists due to SQL injection in interface/new/new_search_popup.php when processing HTTP GET or POST parameter keys starting with mf_. A remote user can send specially crafted parameter keys to execute arbitrary SQL commands.
The issue is blind boolean-based and stems from using parameter keys as SQL identifiers without validating them as valid column names.
Remediation
Install update from vendor's website.
References
- https://github.com/openemr/openemr/security/advisories/GHSA-6vx2-w9hw-prqj
- https://github.com/openemr/openemr/security/advisories/GHSA-6ch2-p26g-x33h
- https://github.com/openemr/openemr/security/advisories/GHSA-wwhf-6cvc-6766
- https://github.com/openemr/openemr/security/advisories/GHSA-cpph-949w-w79v
- https://github.com/openemr/openemr/security/advisories/GHSA-9757-3cfj-wc8q
- https://github.com/openemr/openemr/security/advisories/GHSA-rq3v-38x5-3rm5
- https://github.com/openemr/openemr/security/advisories/GHSA-ww94-26v7-x4gp
- https://github.com/openemr/openemr/security/advisories/GHSA-r6xq-mfwf-wgq8
- https://github.com/advisories/GHSA-r6xq-mfwf-wgq8
- https://github.com/openemr/openemr/security/advisories/GHSA-g3p5-5grq-m65m
- https://github.com/openemr/openemr/security/advisories/GHSA-hf37-5rp9-j27j
- https://github.com/openemr/openemr/security/advisories/GHSA-g77x-9p3x-2j8f
- https://github.com/openemr/openemr/security/advisories/GHSA-9qh7-cfq4-j7c3
- https://github.com/openemr/openemr/security/advisories/GHSA-w9w5-7x6h-657q
- https://github.com/openemr/openemr/security/advisories/GHSA-x32c-xj5g-7jx7
- https://github.com/openemr/openemr/security/advisories/GHSA-pvvj-mv7h-7847
- https://github.com/openemr/openemr/security/advisories/GHSA-2r7h-xm8v-m872