Home / Vulnerability Intelligence / CVE-2026-24908

CVE-2026-24908 - Vulnerability Analysis

CriticalCVSS: 9.9

Last Updated: February 27, 2026

OpenEMR - SQL Injection

Published: February 25, 2026Updated: February 27, 2026PoC AvailableRemote Exploitable

Overview

OpenEMR < 8.0.0 contains an SQL injection caused by improper validation of the _sort parameter in the Patient REST API endpoint, letting authenticated API users execute arbitrary SQL queries.

Severity & Score

Severity: Critical

CVSS Score: 9.9

EPSS Score: 3.0%(Probability of exploitation in next 30 days)

Impact

Authenticated API users can execute arbitrary SQL queries, potentially exposing PHI and compromising credentials.

Mitigation

Upgrade to version 8.0.0 or later.

References

Social Media Activity(1 post)

TheHackerWire

@thehackerwire

Feb 25, 2026

🔴 CVE-2026-24908 - Critical (9.9) OpenEMR is a free and open source electronic health records and medical practice management application. Prior to version 8.0.0, an SQL injection vulnerability in the Patient REST API endpoint allows authenticated users with API access to execute ... 🔗 https://www.thehackerwire.com/vulnerability/CVE-2026-24908/ #CVE #vulnerability #infosec #cybersecurity #security #Tenda #patchstack

View original post

Related Resources

Details

CVE ID: CVE-2026-24908
Severity: Critical
CVSS Score: 9.9
Type: sql_injection
Status: confirmed
EPSS: 3.0%
Social Posts: 1

CWE

CWE-89

CVSS Metrics

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:H

EPSS Score

3.0%Probability of exploitation in the next 30 days