Latest CVE Feed

  1. Home
  2. Vulnerabilities
  3. Latest
CVE Intelligence

Vulnerabilities published in the last 30 days. Filter by severity, exploit status, or attack vector.

All Critical Actively Exploited Remotely Exploitable
Last Updated Published CVSS Score
Score
Vulnerability
Published
8.1 HIGH
CVE-2026-34055 — OpenEMR has IDOR in Patient Notes Web UI allows unauthorized note access/modification

OpenEMR is a free and open source electronic health records and medical practice management application. Prior to version 8.0.0.3, the legacy patient notes functions in `library/pnotes.inc.php` perfo…

openemr | Remote | Authorization
Mar 26, 2026 Mar 26, 2026
Mar 26, 2026
Mar 26, 2026
8.1 HIGH
CVE-2026-34053 — OpenEMR Missing Authorization in Procedure Order AJAX Deletion Handler

OpenEMR is a free and open source electronic health records and medical practice management application. Prior to version 8.0.0.3, missing authorization in the AJAX deletion endpoint `interface/forms…

openemr | Remote | Authorization
Mar 26, 2026 Mar 26, 2026
Mar 26, 2026
Mar 26, 2026
5.4 MEDIUM
CVE-2026-34051 — OpenEMR has Improper ACL On Import/Export Popup

OpenEMR is a free and open source electronic health records and medical practice management application. Versions prior to 8.0.0.3 have an improper access control on the Import/Export functionality, …

openemr | Remote | Authorization
Mar 26, 2026 Mar 26, 2026
Mar 26, 2026
Mar 26, 2026
4.3 MEDIUM
CVE-2026-33934 — OpenEMR's Missing Authorization in show-signature.php Allows Portal Patients to Read Staf…

OpenEMR is a free and open source electronic health records and medical practice management application. Versions prior to 8.0.0.3 have a missing authorization check in `portal/sign/lib/show-signatur…

openemr | Remote | Authorization
Mar 26, 2026 Mar 26, 2026
Mar 26, 2026
Mar 26, 2026
6.1 MEDIUM
CVE-2026-33933 — Reflected XSS via Unescaped contextName Parameter in Custom Template Editor

OpenEMR is a free and open source electronic health records and medical practice management application. Starting in version 7.0.2.1 and prior to version 8.0.0.3, a reflected cross-site scripting (XS…

openemr | Remote | Cross-Site Scripting
Mar 26, 2026 Mar 26, 2026
Mar 26, 2026
Mar 26, 2026
7.6 HIGH
CVE-2026-33932 — OpenEMR has Stored XSS in CCDA Preview via Unsanitized linkHtml Attributes

OpenEMR is a free and open source electronic health records and medical practice management application. Prior to version 8.0.0.3, a stored cross-site scripting vulnerability in the CCDA document pre…

openemr | Remote | Cross-Site Scripting
Mar 26, 2026 Mar 26, 2026
Mar 26, 2026
Mar 26, 2026
6.5 MEDIUM
CVE-2026-33931 — OpenEMR has IDOR in Portal Payment Page that Allows Cross-Patient Record Access

OpenEMR is a free and open source electronic health records and medical practice management application. Prior to version 8.0.0.3, an Insecure Direct Object Reference (IDOR) vulnerability in the pati…

openemr | Remote | Authorization
Mar 26, 2026 Mar 26, 2026
Mar 26, 2026
Mar 26, 2026
8.8 HIGH
CVE-2026-33918 — OpenEMR Missing Authorization on Claim File Download Endpoint

OpenEMR is a free and open source electronic health records and medical practice management application. Prior to version 8.0.0.3, the billing file-download endpoint `interface/billing/get_claim_file…

openemr | Remote | Authorization
Mar 26, 2026 Mar 26, 2026
Mar 26, 2026
Mar 26, 2026
8.8 HIGH
CVE-2026-33917 — OpenEMR has SQL Injection in CAMOS Form

OpenEMR is a free and open source electronic health records and medical practice management application. Versions prior to 8.0.0.3 contais a SQL injection vulnerability in the ajax_save CAMOS form th…

openemr | Remote | Injection
Mar 26, 2026 Mar 26, 2026
Mar 26, 2026
Mar 26, 2026
5.4 MEDIUM
CVE-2026-33915 — OpenEMR Missing ACL Checks on Insurance Company API Routes

OpenEMR is a free and open source electronic health records and medical practice management application. Prior to version 8.0.0.3, five insurance company REST API routes are missing the `RestConfig::…

openemr | Remote | Authorization
Mar 26, 2026 Mar 26, 2026
Mar 26, 2026
Mar 26, 2026
7.2 HIGH
CVE-2026-33914 — OpenEMR has SQL Injection in PostCalendar Category Delete

OpenEMR is a free and open source electronic health records and medical practice management application. Prior to version 8.0.0.3, the PostCalendar module contains a blind SQL injection vulnerability…

openemr | Remote | Injection
Mar 26, 2026 Mar 26, 2026
Mar 26, 2026
Mar 26, 2026
0.0 NONE
CVE-2026-30892 — Crun incorrectly parses `crun exec` option `-u`, leading to privilege escalation

crun is an open source OCI Container Runtime fully written in C. In versions 1.19 through 1.26, the `crun exec` option `-u` (`--user`) is incorrectly parsed. The value `1` is interpreted as UID 0 an…

| Authorization
Mar 26, 2026 Mar 26, 2026
Mar 26, 2026
Mar 26, 2026
6.5 MEDIUM
CVE-2026-4825 — SourceCodester Sales and Inventory System HTTP GET Parameter update_sales.php sql injecti…

A vulnerability was found in SourceCodester Sales and Inventory System 1.0. This affects an unknown part of the file /update_sales.php of the component HTTP GET Parameter Handler. The manipulation of…

sales_and_inventory_system | Remote | Injection
Mar 25, 2026 Mar 25, 2026
Mar 25, 2026
Mar 25, 2026
7.7 HIGH
CVE-2026-33913 — OpenEMR: XInclude Injection in CCDA Import Allows Reading Arbitrary Server Files

OpenEMR is a free and open source electronic health records and medical practice management application. Prior to version 8.0.0.3, an authenticated user with access to the Carecoordination module can…

openemr | Remote | XML External Entity
Mar 25, 2026 Mar 26, 2026
Mar 25, 2026
Mar 26, 2026
5.4 MEDIUM
CVE-2026-33912 — OpenEMR has reflected XSS in ajax_download.php via reportID parameter

OpenEMR is a free and open source electronic health records and medical practice management application. Prior to version 8.0.0.3, an authenticated attacker could craft a malicious form that, when su…

openemr | Remote | Cross-Site Scripting
Mar 25, 2026 Mar 26, 2026
Mar 25, 2026
Mar 26, 2026
5.4 MEDIUM
CVE-2026-33911 — OpenEMR vulnerable to reflected XSS in graphs.php via title parameter

OpenEMR is a free and open source electronic health records and medical practice management application. Prior to version 8.0.0.3, the POST parameter `title` is reflected back in a JSON response buil…

openemr | Remote | Cross-Site Scripting
Mar 25, 2026 Mar 26, 2026
Mar 25, 2026
Mar 26, 2026
8.8 HIGH
CVE-2026-33910 — OpenEMR has a SQL Injection Vulnerability in patient selection

OpenEMR is a free and open source electronic health records and medical practice management application. Versions up to and including 8.0.0.2 contain a SQL injection vulnerability in the patient sele…

openemr | Remote | Injection
Mar 25, 2026 Mar 26, 2026
Mar 25, 2026
Mar 26, 2026
5.9 MEDIUM
CVE-2026-33909 — OpenEMR Vulnerable to SQL Injection via Unsanitized Variables in MedEx Recall/Reminder Pr…

OpenEMR is a free and open source electronic health records and medical practice management application. Prior to version 8.0.0.3, several variables in the MedEx recall/reminder processing code are c…

openemr | Remote | Injection
Mar 25, 2026 Mar 26, 2026
Mar 25, 2026
Mar 26, 2026
8.7 HIGH
CVE-2026-33348 — OpenEMR has Stored XSS in patient encounter Eye Exam form $CHRONIC2 and $CHRONIC3

OpenEMR is a free and open source electronic health records and medical practice management application. Users with the `Notes - my encounters` role can fill Eye Exam forms in patient encounters. The…

openemr | Remote | Cross-Site Scripting
Mar 25, 2026 Mar 26, 2026
Mar 25, 2026
Mar 26, 2026
6.5 MEDIUM
CVE-2026-32120 — OpenEMR has IDOR in Fee Sheet Product Save

OpenEMR is a free and open source electronic health records and medical practice management application. Prior to version 8.0.0.3, an Insecure Direct Object Reference (IDOR) vulnerability in the fee …

openemr | Remote | Authorization
Mar 25, 2026 Mar 26, 2026
Mar 25, 2026
Mar 26, 2026
Showing 20 of 6040 Results