CVE-2026-23627 | THREATINT

Description

OpenEMR is a free and open source electronic health records and medical practice management application. Prior to version 8.0.0, an SQL injection vulnerability in the Immunization module allows any authenticated user to execute arbitrary SQL queries, leading to complete database compromise, PHI exfiltration, credential theft, and potential remote code execution. The vulnerability exists because user-supplied `patient_id` values are directly concatenated into SQL WHERE clauses without parameterization or escaping. Version 8.0.0 patches the issue.

PUBLISHED Reserved 2026-01-14 | Published 2026-02-25 | Updated 2026-02-26 | Assigner GitHub_M

HIGH: 7.4CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:P

Problem types

CWE-89: Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection')

Product status

< 8.0.0

affected

References

github.com/...penemr/security/advisories/GHSA-x3hw-rwrg-v25h

github.com/...ommit/cbf4ea4345b14a6c8362201e30c74ffb0949cdb1

cve.org (CVE-2026-23627)

nvd.nist.gov (CVE-2026-23627)

Download JSON