CVE-2026-25930

Name of the Vulnerable Software and Affected Versions OpenEMR versions prior to 8.0.0

Description OpenEMR is an electronic health records and medical practice management application. Versions prior to 8.0.0 do not properly verify user authorization when accessing Layout-Based Form (LBF) printable views. Specifically, the application accepts formid and visitid (or patientid) from requests without confirming the form belongs to the currently authenticated user’s authorized patient or encounter. This allows an authenticated user with LBF access to enumerate form IDs and potentially view or print encounter forms for any patient. The application uses the formid and visitid (or patientid) parameters in the request to access the forms.

Recommendations Update to version 8.0.0 or later.