Home / Vulnerability Intelligence / CVE-2026-23627

CVE-2026-23627 - Vulnerability Analysis

HighCVSS: 8.8

Last Updated: February 27, 2026

OpenEMR - SQL Injection

Published: February 25, 2026Updated: February 27, 2026PoC AvailableRemote Exploitable

Overview

OpenEMR < 8.0.0 contains an SQL injection caused by unsanitized patient_id input concatenated into SQL WHERE clauses in the Immunization module, letting authenticated users execute arbitrary SQL queries and compromise the database.

Severity & Score

Severity: High

CVSS Score: 8.8

Impact

Authenticated users can execute arbitrary SQL queries, leading to full database compromise, PHI exfiltration, credential theft, and potential remote code execution.

Mitigation

Upgrade to version 8.0.0 or later.

References

https://github.com/openemr/openemr/commit/cbf4ea4345b14a6c8362201e30c74ffb0949cdb1
https://github.com/openemr/openemr/security/advisories/GHSA-x3hw-rwrg-v25h

Related Resources

Vulnerability Intelligence Dashboard
Credential Scanner

Details

CVE ID: CVE-2026-23627
Severity: High
CVSS Score: 8.8
Type: sql_injection
Status: confirmed

CWE

CWE-89

CVSS Metrics

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H