CVE-2025-67752HIGH 8.1EPSS p13.9%

CVE-2025-67752CVE-2025-67752

Description

OpenEMR is a free and open source electronic health records and medical practice management application. Prior to version 7.0.4, OpenEMR's HTTP client wrapper (`oeHttp`/`oeHttpRequest`) disables SSL/TLS certificate verification by default (`verify: false`), making all external HTTPS connections vulnerable to man-in-the-middle (MITM) attacks. This affects communication with government healthcare APIs and user-configurable external services, potentially exposing Protected Health Information (PHI). Version 7.0.4 fixes the issue.

Scoring

CVSS 3.18.1 (HIGH)
VectorCVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H
EPSS0.23% probability of exploitation · percentile 13.9% · 2026-06-19T12:03:05Z
Published2026-02-25
Last modified2026-02-25

Underlying weaknesses· 1

CWE-295

References

  1. https://github.com/openemr/openemr/commit/22f8e53e5769a88b7a16cb223bd197d044c84e5a
  2. https://github.com/openemr/openemr/security/advisories/GHSA-2g6h-725p-pqhp

1

TypeTargetConfidenceTier
WeaknessImproper Certificate Validationcwe-2950%live

Related by meaning· 6

Nearest entities by semantic similarity across the cs-graph corpus.

CVE
CVE-2025-67645
CVE
CVE-2026-25746
CVE
CVE-2026-23627
CVE
CVE-2026-24898
CVE
CVE-2026-25164
CVE
CVE-2026-25146
Sourced from NVD + FIRST.org EPSS. Curated for EU compliance use cases by Adam Lundqvist, Founder at SQUR.