Home / Vulnerability Intelligence / CVE-2026-23627

CVE-2026-23627 - Vulnerability Analysis

HighCVSS: 8.8

Last Updated: February 27, 2026

OpenEMR - SQL Injection

Published: February 25, 2026Updated: February 27, 2026PoC AvailableRemote Exploitable

Overview

OpenEMR < 8.0.0 contains an SQL injection caused by unsanitized patient_id input concatenated into SQL WHERE clauses in the Immunization module, letting authenticated users execute arbitrary SQL queries and compromise the database.

Severity & Score

Severity: High

CVSS Score: 8.8

EPSS Score: 0.8%(Probability of exploitation in next 30 days)

Impact

Authenticated users can execute arbitrary SQL queries, leading to full database compromise, PHI exfiltration, credential theft, and potential remote code execution.

Mitigation

Upgrade to version 8.0.0 or later.

References

Social Media Activity(1 post)

TheHackerWire

@thehackerwire

Mar 1, 2026

🟠 CVE-2026-23627 - High (8.8) OpenEMR is a free and open source electronic health records and medical practice management application. Prior to version 8.0.0, an SQL injection vulnerability in the Immunization module allows any authenticated user to execute arbitrary SQL queri... 🔗 https://www.thehackerwire.com/vulnerability/CVE-2026-23627/ #CVE #vulnerability #infosec #cybersecurity #security #Tenda #patchstack

View original post

Related Resources

Details

CVE ID: CVE-2026-23627
Severity: High
CVSS Score: 8.8
Type: sql_injection
Status: confirmed
EPSS: 0.8%
Social Posts: 1

CWE

CWE-89

CVSS Metrics

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H

EPSS Score

0.8%Probability of exploitation in the next 30 days