CVE-2026-23627HIGH 8.8EPSS p51.1%

CVE-2026-23627CVE-2026-23627

Description

OpenEMR is a free and open source electronic health records and medical practice management application. Prior to version 8.0.0, an SQL injection vulnerability in the Immunization module allows any authenticated user to execute arbitrary SQL queries, leading to complete database compromise, PHI exfiltration, credential theft, and potential remote code execution. The vulnerability exists because user-supplied `patient_id` values are directly concatenated into SQL WHERE clauses without parameterization or escaping. Version 8.0.0 patches the issue.

Scoring

CVSS 3.18.8 (HIGH)
VectorCVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
EPSS0.78% probability of exploitation · percentile 51.1% · 2026-06-19T12:03:05Z
Published2026-02-25
Last modified2026-02-27

Underlying weaknesses· 1

CWE-89

References

  1. https://github.com/openemr/openemr/commit/cbf4ea4345b14a6c8362201e30c74ffb0949cdb1
  2. https://github.com/openemr/openemr/security/advisories/GHSA-x3hw-rwrg-v25h

1

TypeTargetConfidenceTier
WeaknessImproper Neutralization of Special Elements used in an SQL Command ('SQL Injection')cwe-890%live

Related by meaning· 6

Nearest entities by semantic similarity across the cs-graph corpus.

CVE
CVE-2026-33910
CVE
CVE-2026-25746
CVE
CVE-2026-29187
CVE
CVE-2026-32127
CVE
CVE-2026-32238
CVE
CVE-2026-33917
Sourced from NVD + FIRST.org EPSS. Curated for EU compliance use cases by Adam Lundqvist, Founder at SQUR.