Home / Vulnerability Intelligence / CVE-2026-25131

CVE-2026-25131 - Vulnerability Analysis

HighCVSS: 8.8

Last Updated: February 25, 2026

OpenEMR - Broken Access Control

Published: February 25, 2026Updated: February 25, 2026PoC AvailableRemote Exploitable

Overview

OpenEMR < 8.0.0 contains a broken access control vulnerability caused by improper authorization in the order types management system at /openemr/interface/orders/types_edit.php, letting low-privilege users add and modify procedure types.

Severity & Score

Severity: High

CVSS Score: 8.8

EPSS Score: 3.4%(Probability of exploitation in next 30 days)

Impact

Low-privilege users can add or modify procedure types, potentially leading to unauthorized data manipulation and workflow disruption.

Mitigation

Upgrade to version 8.0.0 or later.

References

Social Media Activity(1 post)

TheHackerWire

@thehackerwire

Feb 25, 2026

🟠 CVE-2026-25131 - High (8.8) OpenEMR is a free and open source electronic health records and medical practice management application. Prior to version 8.0.0, a Broken Access Control vulnerability exists in the OpenEMR order types management system, allowing low-privilege user... 🔗 https://www.thehackerwire.com/vulnerability/CVE-2026-25131/ #CVE #vulnerability #infosec #cybersecurity #security #Tenda #patchstack

View original post

Related Resources

Details

CVE ID: CVE-2026-25131
Severity: High
CVSS Score: 8.8
Type: broken_access_control
Status: confirmed
EPSS: 3.4%
Social Posts: 1

CWE

CWE-862

CVSS Metrics

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H

EPSS Score

3.4%Probability of exploitation in the next 30 days