π¨ CVE-2026-24908
OpenEMR is a free and open source electronic health records and medical practice management application. Prior to version 8.0.0, an SQL injection vulnerability in the Patient REST API endpoint allows authenticated users with API access to execute arbitrary SQL queries through the `_sort` parameter. This could potentially lead to database access, PHI (Protected Health Information) exposure, and credential compromise. The issue occurs when user-supplied sort field names are used in ORDER BY clauses without proper validation or identifier escaping. Version 8.0.0 fixes the issue.
π@cveNotify
OpenEMR is a free and open source electronic health records and medical practice management application. Prior to version 8.0.0, an SQL injection vulnerability in the Patient REST API endpoint allows authenticated users with API access to execute arbitrary SQL queries through the `_sort` parameter. This could potentially lead to database access, PHI (Protected Health Information) exposure, and credential compromise. The issue occurs when user-supplied sort field names are used in ORDER BY clauses without proper validation or identifier escaping. Version 8.0.0 fixes the issue.
π@cveNotify
GitHub
Merge commit from fork Β· openemr/openemr@943e23c
Add validation to SearchConfigClauseBuilder::buildSortOrderClauseFromConfig()
to ensure sort field names only contain valid SQL identifier characters.
This prevents SQL injection via the _sort para...
to ensure sort field names only contain valid SQL identifier characters.
This prevents SQL injection via the _sort para...
π¨ CVE-2026-25164
OpenEMR is a free and open source electronic health records and medical practice management application. Prior to version 8.0.0, the REST API route table in `apis/routes/_rest_routes_standard.inc.php` does not call `RestConfig::request_authorization_check()` for the document and insurance routes. Other patient routes in the same file (e.g. encounters, patients/med) call it with the appropriate ACL. As a result, any valid API bearer token can access or modify every patient's documents and insurance data, regardless of the tokenβs OpenEMR ACLsβeffectively exposing all document and insurance PHI to any authenticated API client. Version 8.0.0 patches the issue.
π@cveNotify
OpenEMR is a free and open source electronic health records and medical practice management application. Prior to version 8.0.0, the REST API route table in `apis/routes/_rest_routes_standard.inc.php` does not call `RestConfig::request_authorization_check()` for the document and insurance routes. Other patient routes in the same file (e.g. encounters, patients/med) call it with the appropriate ACL. As a result, any valid API bearer token can access or modify every patient's documents and insurance data, regardless of the tokenβs OpenEMR ACLsβeffectively exposing all document and insurance PHI to any authenticated API client. Version 8.0.0 patches the issue.
π@cveNotify
GitHub
Merge commit from fork Β· openemr/openemr@c5e1c44
Document and insurance REST API routes were missing
RestConfig::request_authorization_check() calls, allowing any valid API
bearer token to access or modify data regardless of ACL permissions.
RestConfig::request_authorization_check() calls, allowing any valid API
bearer token to access or modify data regardless of ACL permissions.
π¨ CVE-2026-25220
OpenEMR is a free and open source electronic health records and medical practice management application. Prior to version 8.0.0, the Message Center accepts the URL parameter `show_all=yes` and passes it to `getPnotesByUser()`, which returns all internal messages (all usersβ notes). The backend does not verify that the requesting user is an administrator before honoring `show_all=yes`. The "Show All" link is also visible to non-admin users. As a result, any authenticated user can view the entire internal message list by requesting `messages.php?show_all=yes`. Version 8.0.0 patches the issue.
π@cveNotify
OpenEMR is a free and open source electronic health records and medical practice management application. Prior to version 8.0.0, the Message Center accepts the URL parameter `show_all=yes` and passes it to `getPnotesByUser()`, which returns all internal messages (all usersβ notes). The backend does not verify that the requesting user is an administrator before honoring `show_all=yes`. The "Show All" link is also visible to non-admin users. As a result, any authenticated user can view the entire internal message list by requesting `messages.php?show_all=yes`. Version 8.0.0 patches the issue.
π@cveNotify
GitHub
Merge commit from fork Β· openemr/openemr@9f2c44f
Force $show_all to "no" for non-admin users so the GET parameter
cannot bypass the access control on viewing all users' messages.
cannot bypass the access control on viewing all users' messages.
π¨ CVE-2026-25743
OpenEMR is a free and open source electronic health records and medical practice management application. Prior to version 8.0.0, users with the "Forms administration" role can fill questionnaires ("forms") in patient encounters. The answers to the forms are displayed on the encounter page and in the visit history for the users with the same role. There exists a stored cross-site scripting (XSS) vulnerability in the function to display the form answers, allowing any authenticated attacker with the specific role to insert arbitrary JavaScript into the system by entering malicious payloads to the form answers. The JavaScript code is later executed by any user with the form role when viewing the form answers in the patient encounter pages or visit history. Version 8.0.0 fixes the issue.
π@cveNotify
OpenEMR is a free and open source electronic health records and medical practice management application. Prior to version 8.0.0, users with the "Forms administration" role can fill questionnaires ("forms") in patient encounters. The answers to the forms are displayed on the encounter page and in the visit history for the users with the same role. There exists a stored cross-site scripting (XSS) vulnerability in the function to display the form answers, allowing any authenticated attacker with the specific role to insert arbitrary JavaScript into the system by entering malicious payloads to the form answers. The JavaScript code is later executed by any user with the form role when viewing the form answers in the patient encounter pages or visit history. Version 8.0.0 fixes the issue.
π@cveNotify
GitHub
Merge commit from fork Β· openemr/openemr@da18f83
The most popular open source electronic health records and medical practice management solution. - Merge commit from fork Β· openemr/openemr@da18f83
π¨ CVE-2026-25746
OpenEMR is a free and open source electronic health records and medical practice management application. Versions prior to 8.0.0 contain a SQL injection vulnerability in prescription that can be exploited by authenticated attackers. The vulnerability exists due to insufficient input validation in the prescription listing functionality. Version 8.0.0 fixes the vulnerability.
π@cveNotify
OpenEMR is a free and open source electronic health records and medical practice management application. Versions prior to 8.0.0 contain a SQL injection vulnerability in prescription that can be exploited by authenticated attackers. The vulnerability exists due to insufficient input validation in the prescription listing functionality. Version 8.0.0 fixes the vulnerability.
π@cveNotify
GitHub
GitHub - ChrisSub08/CVE-2026-25746_SqlInjectionVulnerabilityOpenEMR7.0.4: SQL Injection Vulnerability in OpenEMR 7.0.4
SQL Injection Vulnerability in OpenEMR 7.0.4 . Contribute to ChrisSub08/CVE-2026-25746_SqlInjectionVulnerabilityOpenEMR7.0.4 development by creating an account on GitHub.
π¨ CVE-2025-69416
In the plex.tv backend for Plex Media Server (PMS) through 2025-12-31, a non-server device token can retrieve other tokens (intended for unrelated access) via clients.plex.tv/devices.xml.
π@cveNotify
In the plex.tv backend for Plex Media Server (PMS) through 2025-12-31, a non-server device token can retrieve other tokens (intended for unrelated access) via clients.plex.tv/devices.xml.
π@cveNotify
GitHub
vulnerability-research/CVE-2025-34158/README.md at main Β· lufinkey/vulnerability-research
Collection of CVEs that i've discovered. Contribute to lufinkey/vulnerability-research development by creating an account on GitHub.
π¨ CVE-2025-69417
In the plex.tv backend for Plex Media Server (PMS) through 2025-12-31, a non-server device token can retrieve share tokens (intended for unrelated access) via a shared_servers endpoint.
π@cveNotify
In the plex.tv backend for Plex Media Server (PMS) through 2025-12-31, a non-server device token can retrieve share tokens (intended for unrelated access) via a shared_servers endpoint.
π@cveNotify
GitHub
vulnerability-research/CVE-2025-34158/README.md at main Β· lufinkey/vulnerability-research
Collection of CVEs that i've discovered. Contribute to lufinkey/vulnerability-research development by creating an account on GitHub.
π¨ CVE-2026-23873
hustoj is an open source online judge based on PHP/C++/MySQL/Linux for ACM/ICPC and NOIP training. All versions are vulnerable to CSV Injection (Formula Injection) through the contest rank export functionality (contestrank.xls.php and admin/ranklist_export.php). The application fails to sanitize user-supplied input (specifically the "Nickname" field) before exporting it to an .xls file (which renders as an HTML table but is opened by Excel). If a malicious user sets their nickname to an Excel formula when an administrator exports and opens the rank list in Microsoft Excel, the formula will be executed. This can lead to arbitrary command execution (RCE) on the administrator's machine or data exfiltration. A fix was not available at the time of publication.
π@cveNotify
hustoj is an open source online judge based on PHP/C++/MySQL/Linux for ACM/ICPC and NOIP training. All versions are vulnerable to CSV Injection (Formula Injection) through the contest rank export functionality (contestrank.xls.php and admin/ranklist_export.php). The application fails to sanitize user-supplied input (specifically the "Nickname" field) before exporting it to an .xls file (which renders as an HTML table but is opened by Excel). If a malicious user sets their nickname to an Excel formula when an administrator exports and opens the rank list in Microsoft Excel, the formula will be executed. This can lead to arbitrary command execution (RCE) on the administrator's machine or data exfiltration. A fix was not available at the time of publication.
π@cveNotify
GitHub
Stored CSV Injection (Formula Injection) in Contest Rank Export Leading to RCE Risk
Summary: A CSV Injection (Formula Injection) vulnerability exists in the contest rank export functionality (contestrank.xls.php and admin/ranklist_export.php). The application fails to sanitize use...
π¨ CVE-2026-23592
Insecure file operations in HPE Aruba Networking Fabric ComposerΓ’β¬β’s backup functionality could allow authenticated attackers to achieve remote code execution. Successful exploitation could allow an attacker to execute arbitrary commands on the underlying operating system.
π@cveNotify
Insecure file operations in HPE Aruba Networking Fabric ComposerΓ’β¬β’s backup functionality could allow authenticated attackers to achieve remote code execution. Successful exploitation could allow an attacker to execute arbitrary commands on the underlying operating system.
π@cveNotify
π¨ CVE-2026-23593
A vulnerability in the web-based management interface of HPE Aruba Networking Fabric Composer could allow an unauthenticated remote attacker to view some system files. Successful exploitation could allow an attacker to read files within the affected directory.
π@cveNotify
A vulnerability in the web-based management interface of HPE Aruba Networking Fabric Composer could allow an unauthenticated remote attacker to view some system files. Successful exploitation could allow an attacker to read files within the affected directory.
π@cveNotify
π¨ CVE-2026-0709
Some Hikvision Wireless Access Points are vulnerable to authenticated command execution due to insufficient input validation. Attackers with valid credentials can exploit this flaw by sending crafted packets containing malicious commands to affected devices, leading to arbitrary command execution.
π@cveNotify
Some Hikvision Wireless Access Points are vulnerable to authenticated command execution due to insufficient input validation. Attackers with valid credentials can exploit this flaw by sending crafted packets containing malicious commands to affected devices, leading to arbitrary command execution.
π@cveNotify
π¨ CVE-2026-22623
Due to insufficient input parameter validation on the interface, authenticated users of certain HIKSEMI NAS products can execute arbitrary commands on the device by crafting specific messages.
π@cveNotify
Due to insufficient input parameter validation on the interface, authenticated users of certain HIKSEMI NAS products can execute arbitrary commands on the device by crafting specific messages.
π@cveNotify
π¨ CVE-2026-22624
Due to inadequate access control, authenticated users of certain HIKSEMI NAS products can manipulate other users' file resources without proper authorization.
π@cveNotify
Due to inadequate access control, authenticated users of certain HIKSEMI NAS products can manipulate other users' file resources without proper authorization.
π@cveNotify
π¨ CVE-2026-22625
Improper handling of filenames in certain HIKSEMI NAS products may lead to the exposure of sensitive system files.
π@cveNotify
Improper handling of filenames in certain HIKSEMI NAS products may lead to the exposure of sensitive system files.
π@cveNotify
π¨ CVE-2026-22626
Due to insufficient input parameter validation on the interface, authenticated users of certain HIKSEMI NAS products can cause abnormal device behavior by crafting specific messages.
π@cveNotify
Due to insufficient input parameter validation on the interface, authenticated users of certain HIKSEMI NAS products can cause abnormal device behavior by crafting specific messages.
π@cveNotify
β€1
π¨ CVE-2025-69414
Plex Media Server (PMS) through 1.42.2.10156 allows retrieval of a permanent access token via a /myplex/account call with a transient access token.
π@cveNotify
Plex Media Server (PMS) through 1.42.2.10156 allows retrieval of a permanent access token via a /myplex/account call with a transient access token.
π@cveNotify
GitHub
vulnerability-research/CVE-2025-34158/README.md at main Β· lufinkey/vulnerability-research
Collection of CVEs that i've discovered. Contribute to lufinkey/vulnerability-research development by creating an account on GitHub.
π¨ CVE-2025-69415
In Plex Media Server (PMS) through 1.42.2.10156, ability to access /myplex/account with a device token is not properly aligned with whether the device is currently associated with an account.
π@cveNotify
In Plex Media Server (PMS) through 1.42.2.10156, ability to access /myplex/account with a device token is not properly aligned with whether the device is currently associated with an account.
π@cveNotify
GitHub
vulnerability-research/CVE-2025-34158/README.md at main Β· lufinkey/vulnerability-research
Collection of CVEs that i've discovered. Contribute to lufinkey/vulnerability-research development by creating an account on GitHub.
π¨ CVE-2022-46764
A SQL injection issue in the web API in TrueConf Server 5.2.0.10225 (fixed in 5.2.6) allows remote unauthenticated attackers to execute arbitrary SQL commands, ultimately leading to remote code execution.
π@cveNotify
A SQL injection issue in the web API in TrueConf Server 5.2.0.10225 (fixed in 5.2.6) allows remote unauthenticated attackers to execute arbitrary SQL commands, ultimately leading to remote code execution.
π@cveNotify
GitHub
public_cve_submissions/CVE-2022-46764.txt at main Β· sldlb/public_cve_submissions
Contribute to sldlb/public_cve_submissions development by creating an account on GitHub.
π¨ CVE-2025-9900
A flaw was found in Libtiff. This vulnerability is a "write-what-where" condition, triggered when the library processes a specially crafted TIFF image file.
By providing an abnormally large image height value in the file's metadata, an attacker can trick the library into writing attacker-controlled color data to an arbitrary memory location. This memory corruption can be exploited to cause a denial of service (application crash) or to achieve arbitrary code execution with the permissions of the user.
π@cveNotify
A flaw was found in Libtiff. This vulnerability is a "write-what-where" condition, triggered when the library processes a specially crafted TIFF image file.
By providing an abnormally large image height value in the file's metadata, an attacker can trick the library into writing attacker-controlled color data to an arbitrary memory location. This memory corruption can be exploited to cause a denial of service (application crash) or to achieve arbitrary code execution with the permissions of the user.
π@cveNotify
π¨ CVE-2026-23517
Fleet is open source device management software. A broken access control issue in versions prior to 4.78.3, 4.77.1, 4.76.2, 4.75.2, and 4.53.3 allowed authenticated users to access debug and profiling endpoints regardless of role. As a result, low-privilege users could view internal server diagnostics and trigger resource-intensive profiling operations. Fleetβs debug/pprof endpoints are accessible to any authenticated user regardless of role, including the lowest-privilege βObserverβ role. This allows low-privilege users to access sensitive server internals, including runtime profiling data and in-memory application state, and to trigger CPU-intensive profiling operations that could lead to denial of service. Versions 4.78.3, 4.77.1, 4.76.2, 4.75.2, and 4.53.3 fix the issue. If an immediate upgrade is not possible, users should put the debug/pprof endpoints behind an IP allowlist as a workaround.
π@cveNotify
Fleet is open source device management software. A broken access control issue in versions prior to 4.78.3, 4.77.1, 4.76.2, 4.75.2, and 4.53.3 allowed authenticated users to access debug and profiling endpoints regardless of role. As a result, low-privilege users could view internal server diagnostics and trigger resource-intensive profiling operations. Fleetβs debug/pprof endpoints are accessible to any authenticated user regardless of role, including the lowest-privilege βObserverβ role. This allows low-privilege users to access sensitive server internals, including runtime profiling data and in-memory application state, and to trigger CPU-intensive profiling operations that could lead to denial of service. Versions 4.78.3, 4.77.1, 4.76.2, 4.75.2, and 4.53.3 fix the issue. If an immediate upgrade is not possible, users should put the debug/pprof endpoints behind an IP allowlist as a workaround.
π@cveNotify
GitHub
Revise auth requirements for debug endpoints (#38173) Β· fleetdm/fleet@5c030e3
<!-- Add the related story/sub-task/bug number, like Resolves #123, or
remove if NA -->
**Related issue:** Resolves #
# Checklist for submitter
If some of the following don'...
remove if NA -->
**Related issue:** Resolves #
# Checklist for submitter
If some of the following don'...
π¨ CVE-2026-23518
Fleet is open source device management software. In versions prior to 4.78.3, 4.77.1, 4.76.2, 4.75.2, and 4.53.3, a vulnerability in Fleet's Windows MDM enrollment flow could allow an attacker to submit forged authentication tokens that are not properly validated. Because JWT signatures were not verified, Fleet could accept attacker-controlled identity claims, enabling enrollment of unauthorized devices under arbitrary Azure AD user identities. Versions 4.78.3, 4.77.1, 4.76.2, 4.75.2, and 4.53.3 fix the issue. If an immediate upgrade is not possible, affected Fleet users should temporarily disable Windows MDM.
π@cveNotify
Fleet is open source device management software. In versions prior to 4.78.3, 4.77.1, 4.76.2, 4.75.2, and 4.53.3, a vulnerability in Fleet's Windows MDM enrollment flow could allow an attacker to submit forged authentication tokens that are not properly validated. Because JWT signatures were not verified, Fleet could accept attacker-controlled identity claims, enabling enrollment of unauthorized devices under arbitrary Azure AD user identities. Versions 4.78.3, 4.77.1, 4.76.2, 4.75.2, and 4.53.3 fix the issue. If an immediate upgrade is not possible, affected Fleet users should temporarily disable Windows MDM.
π@cveNotify
GitHub
Improve Microsoft endpoint validation (#38180) Β· fleetdm/fleet@e225ef5
<!-- Add the related story/sub-task/bug number, like Resolves #123, or
remove if NA -->
**Related issue:** Resolves #13698
# Checklist for submitter
If some of the following don&...
remove if NA -->
**Related issue:** Resolves #13698
# Checklist for submitter
If some of the following don&...