CVE-2025-67645HIGH 8.8EPSS p24.9%

CVE-2025-67645CVE-2025-67645

Description

OpenEMR is a free and open source electronic health records and medical practice management application. Versions prior to 7.0.4 have a broken access control in the Profile Edit endpoint. An authenticated normal user can modify the request parameters (pubpid / pid) to reference another user’s record; the server accepts the modified IDs and applies the changes to that other user’s profile. This allows one user to alter another user’s profile data (name, contact info, etc.), and could enable account takeover. Version 7.0.4 fixes the issue.

Scoring

CVSS 3.18.8 (HIGH)
VectorCVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
EPSS0.33% probability of exploitation · percentile 24.9% · 2026-06-19T12:03:05Z
Published2026-01-28
Last modified2026-02-12

Underlying weaknesses· 1

CWE-284

References

  1. https://github.com/openemr/openemr/commit/e2a682ee71aac71a9f04ae566f4ffca10052bc4a
  2. https://github.com/openemr/openemr/security/advisories/GHSA-vjmv-cf46-gffv

1

TypeTargetConfidenceTier
WeaknessImproper Access Controlcwe-2840%live

Related by meaning· 6

Nearest entities by semantic similarity across the cs-graph corpus.

CVE
CVE-2026-25131
CVE
CVE-2026-25164
CVE
CVE-2025-67752
CVE
CVE-2026-34053
CVE
CVE-2026-46518
CVE
CVE-2026-23627
Sourced from NVD + FIRST.org EPSS. Curated for EU compliance use cases by Adam Lundqvist, Founder at SQUR.