CVE-2026-25746 - Vulnerability Analysis
HighCVSS: 8.8Last Updated: February 25, 2026
OpenEMR - SQL Injection
Published: February 25, 2026Updated: February 25, 2026PoC AvailableRemote Exploitable
Overview
OpenEMR < 8.0.0 contains a sql injection caused by insufficient input validation in prescription listing functionality, letting authenticated attackers execute arbitrary SQL commands.
Severity & Score
Severity: High
CVSS Score: 8.8
Impact
Authenticated attackers can execute arbitrary SQL commands, potentially leading to data disclosure or modification.
Mitigation
Upgrade to version 8.0.0 or later.
References
- https://github.com/openemr/openemr/blob/9fa8db9f12d0b70985195b11b90f2dc564bd3b24/library/classes/Prescription.class.php#L1148
- https://github.com/openemr/openemr/commit/e230d3ef46425ffc96a37dc6369428aa37c88554
- https://github.com/openemr/openemr/security/advisories/GHSA-78r7-g65p-gpw3
- https://github.com/ChrisSub08/CVE-2026-25746_SqlInjectionVulnerabilityOpenEMR7.0.4
- https://github.com/openemr/openemr/blob/2b46e594b9dd665fb7f16c913ca07f5c6d54412b/library/classes/Controller.class.php#L77
- https://github.com/openemr/openemr/blob/9fa8db9f12d0b70985195b11b90f2dc564bd3b24/controller.php#L6
- https://github.com/openemr/openemr/blob/9fa8db9f12d0b70985195b11b90f2dc564bd3b24/controllers/C_Prescription.class.php#L180
Related Resources
Details
- CVE ID
- CVE-2026-25746
- Severity
- High
- CVSS Score
- 8.8
- Type
- sql_injection
- Status
- new
CWE
- CWE-89
CVSS Metrics
CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H