DOZENS of vulnerabilities were found in the open source OpenEMR medical records platform, with a security firm identifying 39 issues, 38 of which have CVE identifiers. OpenEMR is used worldwide by more than 100,000 healthcare providers to store data on over 200 million patients, and the findings come from Aisle’s autonomous analyzer as part of a partnership with OpenEMR developers; all the vulnerabilities have since been patched.
The majority of flaws stemmed from missing or incorrect authorisation, while the remainder were described as XSS, SQL injection, path traversal and session expiration vulnerabilities. In the most severe cases, researchers warned that SQL injection vulnerabilities combined with modest database privileges could enable full database compromise, PHI exfiltration at scale, and remote code execution on the server, according to Aisle.
The security firm highlighted three vulnerabilities that can be exploited to access or alter patient data, including two critical SQL injection bugs tracked as CVE-2026-24908 and CVE-2026-23627, and another authorization bypass issue CVE-2026-24487. Written on 29 April 2026, this report notes that the complete list of OpenEMR CVEs is available in a blog post from Aisle.