Skip to content

Security data

Weaknesses (CWE)The MITRE CWE weakness catalog
Attack Patterns (CAPEC)MITRE CAPEC attack patterns
CNAsNumbering authorities + report cards
VendorsVulnerabilities by vendor

Tools

CVSS CalculatorScore CVSS 4.0, 3.1, 3.0 & 2.0

Resources

LearnPlain-English security guides
Data SourcesHow we source CVE data

About Us Blog Pricing Book a Demo

Log in

RadicalNotion.AI

We do not sell or share your personal information

© 2026 RadicalNotion.AI

Security Data

CWE Directory
CAPEC Directory
CNA Directory
CNA Report Cards
Data Sources

Calculators

CVSS Calculator
CVSS 4.0
CVSS 3.1
CVSS 3.0
CVSS 2.0

Platform

My Vulnerabilities
Insights
Notifications
Account
Pricing

Company

About us
Blog
Learn
Book a demo

Get Started

Sign up
Log in

Legal

Privacy
Terms

Home
Vendors
Open Emr

open-emr Vulnerabilities: CVEs, CISA KEV & Security Advisories

217 CVEs

open-emr Vulnerabilities

CVE security advisories and vulnerability history for open-emr.

217

Total CVEs

Published

0

In CISA KEV

Exploited in the wild

113

Public exploits

With known exploit

7.1

Avg CVSS

2012–2026

Overview

open-emr has 217 published CVE records since 2012, of which 0 are in CISA's Known Exploited Vulnerabilities catalog and 113 have a known public exploit. The average CVSS base score across scored CVEs is 7.1.

This page aggregates every publicly disclosed vulnerability (CVE) affecting open-emr products, with severity breakdowns, the most-affected products, the most common weakness types, and the latest disclosures.

Severity and exploitation

How the CVSS severity of open-emr's CVEs breaks down, plus how many are exploited in the wild or have public exploit code.

Critical12

High67

Medium56

Low3

79 additional CVEs have no CVSS severity score.

In CISA’s Known Exploited Vulnerabilities catalog

0

None of open-emr's CVEs are currently listed in CISA's KEV catalog.

Public exploits

113

113 of open-emr's CVEs have a known public exploit available.

Most affected products

The open-emr products with the most published CVEs.

openemr217 CVEs
openemr/openemr37 CVEs
phpGACL7 CVEs
mpdf1 CVEs

Common weakness types

The CWE weakness categories most often found in open-emr CVEs. Follow any weakness for its full explanation.

CWE-79Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')44 CVEs
CWE-639Authorization Bypass Through User-Controlled Key16 CVEs
CWE-89Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection')14 CVEs
CWE-862Missing Authorization11 CVEs
CWE-284Improper Access Control6 CVEs
CWE-80Improper Neutralization of Script-Related HTML Tags in a Web Page (Basic XSS)4 CVEs
CWE-200Exposure of Sensitive Information to an Unauthorized Actor4 CVEs
CWE-22Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal')4 CVEs

CNAs that assign these CVEs

The CVE Numbering Authorities that publish open-emr CVE records.

GitHub_M82 CVEs
mitre73 CVEs
@huntrdev36 CVEs
talos8 CVEs
Mend7 CVEs
tenable6 CVEs
VulnCheck3 CVEs
redhat1 CVEs

Disclosure activity by year

How many open-emr CVEs were published each year.

2019

19

2020

1

2021

26

2022

29

2023

14

2024

3

2025

11

2026

75

Latest open-emr CVEs

The most recently disclosed vulnerabilities affecting open-emr.

OpenEMR 7.0.1 Authentication Brute Force Mitigation Bypass
CWE-307
High · CVSS 8.7
EPSS 0.2%2026-05-05
OpenEMR has a Privilege Escalation that Allows a Low-Level User to View Admin-Only Data
CWE-425
High · CVSS 7.7
EPSS 0.0%2026-03-25
OpenEMR has IDOR in Patient Notes Web UI allows unauthorized note access/modification
CWE-639
High · CVSS 8.1
EPSS 0.0%2026-03-25
OpenEMR Missing Authorization in Procedure Order AJAX Deletion Handler
CWE-862
High · CVSS 7.1
EPSS 0.0%2026-03-25
OpenEMR has Improper ACL On Import/Export Popup
CWE-425
Medium · CVSS 5.4
EPSS 0.0%2026-03-25
OpenEMR's Missing Authorization in show-signature.php Allows Portal Patients to Read Staff Signatures
CWE-639
Medium · CVSS 4.3
EPSS 0.1%2026-03-25
Reflected XSS via Unescaped contextName Parameter in Custom Template Editor
CWE-79
Medium · CVSS 6.1
EPSS 0.0%2026-03-25
OpenEMR has Stored XSS in CCDA Preview via Unsanitized linkHtml Attributes
CWE-79
High · CVSS 7.6
EPSS 0.0%2026-03-25
OpenEMR has IDOR in Portal Payment Page that Allows Cross-Patient Record Access
CWE-639
Medium · CVSS 6.5
EPSS 0.0%2026-03-25
OpenEMR Missing Authorization on Claim File Download Endpoint
CWE-862
High · CVSS 7.6
EPSS 0.0%2026-03-25
OpenEMR has SQL Injection in CAMOS Form
CWE-89
High · CVSS 8.8
EPSS 0.0%2026-03-25
OpenEMR Missing ACL Checks on Insurance Company API Routes
CWE-862
Medium · CVSS 5.4
EPSS 0.0%2026-03-25

Track new open-emr CVEs as they are disclosed and get AI-written analysis and remediation guidance.

Monitor open-emr CVEs

Other vendors

Browse vulnerabilities for other tracked vendors.

OpenText221 CVEs h3c220 CVEs com.liferay.portal218 CVEs realnetworks218 CVEs glpi-project217 CVEs Acronis214 CVEs trendnet214 CVEs kde214 CVEs

Browse all vendors

Frequently asked questions

Common questions about open-emr vulnerabilities.

How many CVEs does open-emr have?

open-emr has 217 published CVE records since 2012, including 86 in the last two years.

How many open-emr CVEs are in CISA KEV?

None of open-emr's CVEs are currently listed in CISA's Known Exploited Vulnerabilities catalog.

Which open-emr products have the most CVEs?

The open-emr products with the most published CVEs are openemr, openemr/openemr, phpGACL, mpdf.

What are the most common weakness types in open-emr CVEs?

open-emr's CVEs most often map to these CWE weakness types: CWE-79 (Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')), CWE-639 (Authorization Bypass Through User-Controlled Key), CWE-89 (Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection')), CWE-862 (Missing Authorization).

Are there public exploits for open-emr vulnerabilities?

Yes — 113 of open-emr's CVEs have a known public exploit.

How many critical open-emr vulnerabilities are there?

open-emr has 12 critical and 67 high-severity CVEs.

What is the average severity of open-emr CVEs?

The average CVSS base score across open-emr's scored CVEs is 7.1.

References

The MITRE CVE Program (opens in a new tab)
Learn: What is a CVE?
CWE directory: the weakness types these CVEs map to
CNA directory: the CNAs that assign these CVEs

Vulnerability data is sourced from the CVE Program; severity, KEV, and exploit signals are aggregated by RadicalNotion.AI.

Track open-emr vulnerabilities

Monitor new open-emr vulnerabilities as they are disclosed, with AI-written analysis and remediation guidance.

Start free See pricing

On this page

Overview
Severity and exploitation
Most affected products
Common weakness types
Assigning CNAs
Disclosure activity
Latest CVEs
Other vendors
FAQ
References