{"description":"Trending threats, MITRE ATT\u0026CK coverage, and detection metadata — refreshed continuously.","feed_url":"https://feed.craftedsignal.io/tags/openemr/","home_page_url":"https://feed.craftedsignal.io/","items":[{"_cs_actors":[],"_cs_cves":[],"_cs_exploited":false,"_cs_products":[],"_cs_severities":["high"],"_cs_tags":["cve-2026-33913","xxe","openemr","web-application"],"_cs_type":"advisory","_cs_vendors":[],"content_html":"\u003cp\u003eOpenEMR, a free and open-source electronic health records and medical practice management application, is vulnerable to an XML External Entity (XXE) injection attack (CVE-2026-33913). This vulnerability affects versions prior to 8.0.0.3. An authenticated user with access to the Carecoordination module can exploit this flaw by uploading a specially crafted CCDA document. The malicious document contains an \u003ccode\u003exi:include\u003c/code\u003e tag that references a file on the server (e.g., \u003ccode\u003e/etc/passwd\u003c/code\u003e), enabling the…\u003c/p\u003e\n","date_modified":"2026-03-26T12:00:00Z","date_published":"2026-03-26T12:00:00Z","id":"/briefs/2026-03-openemr-xxe/","summary":"OpenEMR before version 8.0.0.3 is vulnerable to XML External Entity (XXE) injection, allowing an authenticated user with access to the Carecoordination module to upload a crafted CCDA document and read arbitrary files from the server.","title":"OpenEMR XXE Vulnerability (CVE-2026-33913)","url":"https://feed.craftedsignal.io/briefs/2026-03-openemr-xxe/"},{"_cs_actors":[],"_cs_cves":[],"_cs_exploited":false,"_cs_products":[],"_cs_severities":["high"],"_cs_tags":["openemr","authorization-bypass","data-deletion"],"_cs_type":"advisory","_cs_vendors":[],"content_html":"\u003cp\u003eOpenEMR, a widely used open-source electronic health records and medical practice management application, is vulnerable to a significant authorization bypass. Specifically, versions prior to 8.0.0.3 lack proper authorization checks in the \u003ccode\u003einterface/forms/procedure_order/handle_deletions.php\u003c/code\u003e AJAX endpoint. This flaw enables any authenticated user, regardless of their assigned role or privileges, to delete procedure orders, patient answers, and specimen records associated with any patient within the OpenEMR system. This vulnerability poses a serious threat to data integrity and confidentiality. The vendor patched this vulnerability in version 8.0.0.3. Defenders should prioritize identifying and patching vulnerable systems.\u003c/p\u003e\n\u003ch2 id=\"attack-chain\"\u003eAttack Chain\u003c/h2\u003e\n\u003col\u003e\n\u003cli\u003eAn attacker gains valid credentials to an OpenEMR instance, potentially through phishing, credential stuffing, or other means.\u003c/li\u003e\n\u003cli\u003eThe attacker logs into the OpenEMR web application with their valid, but potentially low-privilege, account.\u003c/li\u003e\n\u003cli\u003eThe attacker crafts a malicious AJAX request targeting the vulnerable endpoint: \u003ccode\u003einterface/forms/procedure_order/handle_deletions.php\u003c/code\u003e.\u003c/li\u003e\n\u003cli\u003eThe crafted request specifies the IDs of procedure orders, answers, or specimens that the attacker wishes to delete, regardless of the associated patient.\u003c/li\u003e\n\u003cli\u003eDue to the missing authorization check, the OpenEMR application processes the deletion request without verifying the attacker\u0026rsquo;s permissions.\u003c/li\u003e\n\u003cli\u003eThe specified patient data (procedure orders, answers, or specimens) is permanently deleted from the OpenEMR database.\u003c/li\u003e\n\u003cli\u003eThe attacker can repeat this process to delete additional patient data, potentially causing significant disruption or data loss.\u003c/li\u003e\n\u003c/ol\u003e\n\u003ch2 id=\"impact\"\u003eImpact\u003c/h2\u003e\n\u003cp\u003eThe missing authorization vulnerability in OpenEMR allows any authenticated user to delete sensitive patient data, including procedure orders, answers to medical questionnaires, and specimen records. Successful exploitation could lead to data loss, compliance violations (e.g., HIPAA), and disruption of medical practice operations. The precise number of potentially affected OpenEMR instances is unknown, but given the widespread use of OpenEMR in medical practices, the impact could be substantial.\u003c/p\u003e\n\u003ch2 id=\"recommendation\"\u003eRecommendation\u003c/h2\u003e\n\u003cul\u003e\n\u003cli\u003eUpgrade all OpenEMR installations to version 8.0.0.3 or later to remediate CVE-2026-34053.\u003c/li\u003e\n\u003cli\u003eImplement network monitoring for requests to \u003ccode\u003einterface/forms/procedure_order/handle_deletions.php\u003c/code\u003e and investigate any unusual activity.\u003c/li\u003e\n\u003cli\u003eDeploy the Sigma rule to detect potential exploitation attempts by monitoring HTTP requests to the vulnerable endpoint.\u003c/li\u003e\n\u003c/ul\u003e\n","date_modified":"2026-03-26T12:00:00Z","date_published":"2026-03-26T12:00:00Z","id":"/briefs/2026-03-openemr-auth-bypass/","summary":"OpenEMR versions before 8.0.0.3 contain a missing authorization vulnerability in the AJAX deletion endpoint that allows any authenticated user to delete patient data.","title":"OpenEMR Missing Authorization Allows Unauthorized Data Deletion","url":"https://feed.craftedsignal.io/briefs/2026-03-openemr-auth-bypass/"},{"_cs_actors":[],"_cs_cves":[],"_cs_exploited":false,"_cs_products":[],"_cs_severities":["high"],"_cs_tags":["sqli","openemr","vulnerability"],"_cs_type":"advisory","_cs_vendors":[],"content_html":"\u003cp\u003eOpenEMR, a widely used open-source electronic health records and medical practice management application, has a critical security flaw. Specifically, versions prior to 8.0.0.3 contain a blind SQL injection vulnerability affecting the Patient Search functionality located at \u003ccode\u003e/interface/new/new_search_popup.php\u003c/code\u003e. Authenticated attackers can exploit this vulnerability, identified as CVE-2026-29187, by manipulating HTTP parameter keys during patient searches. Successful exploitation allows…\u003c/p\u003e\n","date_modified":"2026-03-25T23:17:09Z","date_published":"2026-03-25T23:17:09Z","id":"/briefs/2026-03-openemr-sqli/","summary":"OpenEMR versions prior to 8.0.0.3 are susceptible to a blind SQL injection vulnerability in the Patient Search functionality, allowing authenticated attackers to execute arbitrary SQL commands by manipulating HTTP parameter keys.","title":"OpenEMR Blind SQL Injection Vulnerability in Patient Search (CVE-2026-29187)","url":"https://feed.craftedsignal.io/briefs/2026-03-openemr-sqli/"}],"language":"en","title":"CraftedSignal Threat Feed — Openemr","version":"https://jsonfeed.org/version/1.1"}