CVE-2026-24908

Name of the Vulnerable Software and Affected Versions OpenEMR versions prior to 8.0.0

Description OpenEMR is an electronic health records and medical practice management application. A flaw exists in the Patient REST API endpoint where an authenticated user with API access can execute arbitrary SQL queries through the sort parameter. This is due to insufficient validation of user-supplied input used in SQL ORDER BY clauses. Successful exploitation could lead to database access, exposure of Protected Health Information (PHI), and compromise of credentials.

Recommendations Update to version 8.0.0 or later.