CVE-2026-32120

Name of the Vulnerable Software and Affected Versions OpenEMR versions prior to 8.0.0.3

Description OpenEMR is an electronic health records and medical practice management application. A flaw exists in the fee sheet product save logic within library/FeeSheet.class.php that allows authenticated users with fee sheet access to manipulate drug sales records for any patient. This is possible by modifying the hidden prod[][sale id] form field. The save() method utilizes the provided sale id in SQL queries (SELECT, UPDATE, DELETE) without proper verification of patient and encounter association.

Recommendations Update to version 8.0.0.3 or later.