Vulnerability intelligence

CVE-2026-24908

OpenEMR is a free and open source electronic health records and medical practice management application. Prior to version 8.0.0, an SQL injection vulnerability in the Patient REST API endpoint allows authenticated users with API access to execute arbitrary SQL queries through the `_sort` parameter. This could potentially lead to database access, PHI (Protected Health Information) exposure, and credential compromise. The issue occurs when user-supplied sort field names are used in ORDER BY clauses without proper validation or identifier escaping. Version 8.0.0 fixes the issue.

CVSS Score

Critical

EPSS — Exploit Probability

0.0%

Riskier than 0% of all CVEs

Exploitation

Not in CISA KEV

No federal exploitation record

Remediation

Patch available

Vendor fix published

NVD entry Vendor patch PoC / advisory

3 articles across 3 outlets · first covered Apr 29, 2026 · latest Apr 30, 2026

Coverage timeline

SMS blaster bust, OpenEMR flaws, 600K Roblox accounts hacked
thehackernews.com · Apr 30, 2026
AI audit finds 38 OpenEMR flaws, CVE-2026-24908 leaks PHI
www.darkreading.com · Apr 29, 2026
OpenEMR bugs risk patient data leak and remote code execution
www.securityweek.com · Apr 29, 2026