CVE-2026-25746 - Vulnerability Analysis
HighCVSS: 8.8Last Updated: February 27, 2026
OpenEMR - SQL Injection
Overview
OpenEMR < 8.0.0 contains a sql injection caused by insufficient input validation in prescription listing functionality, letting authenticated attackers execute arbitrary SQL commands.
Severity & Score
Impact
Authenticated attackers can execute arbitrary SQL commands, potentially leading to data disclosure or modification.
Mitigation
Upgrade to version 8.0.0 or later.
References
- https://github.com/openemr/openemr/security/advisories/GHSA-78r7-g65p-gpw3
- https://github.com/ChrisSub08/CVE-2026-25746_SqlInjectionVulnerabilityOpenEMR7.0.4
- https://github.com/openemr/openemr/blob/2b46e594b9dd665fb7f16c913ca07f5c6d54412b/library/classes/Controller.class.php#L77
- https://github.com/openemr/openemr/blob/9fa8db9f12d0b70985195b11b90f2dc564bd3b24/controller.php#L6
- https://github.com/openemr/openemr/blob/9fa8db9f12d0b70985195b11b90f2dc564bd3b24/controllers/C_Prescription.class.php#L180
- https://github.com/openemr/openemr/blob/9fa8db9f12d0b70985195b11b90f2dc564bd3b24/library/classes/Prescription.class.php#L1148
- https://github.com/openemr/openemr/commit/e230d3ef46425ffc96a37dc6369428aa37c88554
Social Media Activity(1 post)
š CVE-2026-25746 - High (8.8) OpenEMR is a free and open source electronic health records and medical practice management application. Versions prior to 8.0.0 contain a SQL injection vulnerability in prescription that can be exploited by authenticated attackers. The vulnerabil... š https://www.thehackerwire.com/vulnerability/CVE-2026-25746/ #CVE #vulnerability #infosec #cybersecurity #security #Tenda #patchstack
View original postGitHub Repositories(1 repo)
Related Resources
Details
- CVE ID
- CVE-2026-25746
- Severity
- High
- CVSS Score
- 8.8
- Type
- sql_injection
- Status
- confirmed
- EPSS
- 3.9%
- Social Posts
- 1
CWE
- CWE-89
CVSS Metrics
CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H