Vulnerability Details CVE-2026-25930
OpenEMR is a free and open source electronic health records and medical practice management application. Prior to version 8.0.0, the Layout-Based Form (LBF) printable view accepts `formid` and `visitid` (or `patientid`) from the request and does not verify that the form belongs to the current user’s authorized patient/encounter. An authenticated user with LBF access can enumerate form IDs and view or print any patient’s encounter forms. Version 8.0.0 fixes the issue.
Exploit prediction scoring system (EPSS) score
EPSS Score 0.001
EPSS Ranking 27.6%
CVSS Severity
CVSS v3 Score 6.5
References
Products affected by CVE-2026-25930
-
cpe:2.3:a:open-emr:openemr:-
-
cpe:2.3:a:open-emr:openemr:2.0.1.2
-
cpe:2.3:a:open-emr:openemr:2.7
-
cpe:2.3:a:open-emr:openemr:2.7.1
-
cpe:2.3:a:open-emr:openemr:2.7.2
-
cpe:2.3:a:open-emr:openemr:2.7.3
-
cpe:2.3:a:open-emr:openemr:2.8.0
-
cpe:2.3:a:open-emr:openemr:2.8.1
-
cpe:2.3:a:open-emr:openemr:2.8.2
-
cpe:2.3:a:open-emr:openemr:2.8.3
-
cpe:2.3:a:open-emr:openemr:2.9.0
-
cpe:2.3:a:open-emr:openemr:3.0.0
-
cpe:2.3:a:open-emr:openemr:3.0.1
-
cpe:2.3:a:open-emr:openemr:3.1.0
-
cpe:2.3:a:open-emr:openemr:3.2.0
-
cpe:2.3:a:open-emr:openemr:4.0.0
-
cpe:2.3:a:open-emr:openemr:4.1.0
-
cpe:2.3:a:open-emr:openemr:4.1.1
-
cpe:2.3:a:open-emr:openemr:4.1.2
-
cpe:2.3:a:open-emr:openemr:4.1.2.3
-
cpe:2.3:a:open-emr:openemr:4.1.2.6
-
cpe:2.3:a:open-emr:openemr:4.1.2.7
-
cpe:2.3:a:open-emr:openemr:4.2.0
-
cpe:2.3:a:open-emr:openemr:4.2.0.3
-
cpe:2.3:a:open-emr:openemr:4.2.1
-
cpe:2.3:a:open-emr:openemr:4.2.2
-
cpe:2.3:a:open-emr:openemr:5.0.0
-
cpe:2.3:a:open-emr:openemr:5.0.0.5
-
cpe:2.3:a:open-emr:openemr:5.0.0.6
-
cpe:2.3:a:open-emr:openemr:5.0.1
-
cpe:2.3:a:open-emr:openemr:5.0.1-6
-
cpe:2.3:a:open-emr:openemr:5.0.1.1
-
cpe:2.3:a:open-emr:openemr:5.0.1.2
-
cpe:2.3:a:open-emr:openemr:5.0.1.3
-
cpe:2.3:a:open-emr:openemr:5.0.1.4
-
cpe:2.3:a:open-emr:openemr:5.0.1.5
-
cpe:2.3:a:open-emr:openemr:5.0.1.6
-
cpe:2.3:a:open-emr:openemr:5.0.1.7
-
cpe:2.3:a:open-emr:openemr:5.0.2
-
cpe:2.3:a:open-emr:openemr:5.0.2.1
-
cpe:2.3:a:open-emr:openemr:5.0.2.2
-
cpe:2.3:a:open-emr:openemr:5.0.2.3
-
cpe:2.3:a:open-emr:openemr:5.0.2.4
-
cpe:2.3:a:open-emr:openemr:5.0.2.5
-
cpe:2.3:a:open-emr:openemr:6.0.0
-
cpe:2.3:a:open-emr:openemr:6.0.0.1
-
cpe:2.3:a:open-emr:openemr:6.0.0.2
-
cpe:2.3:a:open-emr:openemr:6.0.0.3
-
cpe:2.3:a:open-emr:openemr:6.0.0.4
-
cpe:2.3:a:open-emr:openemr:6.1.0
-
cpe:2.3:a:open-emr:openemr:6.1.0.1
-
cpe:2.3:a:open-emr:openemr:7.0.0
-
cpe:2.3:a:open-emr:openemr:7.0.0.1
-
cpe:2.3:a:open-emr:openemr:7.0.0.2
-
cpe:2.3:a:open-emr:openemr:7.0.1
-
cpe:2.3:a:open-emr:openemr:7.0.1.1
-
cpe:2.3:a:open-emr:openemr:7.0.2
-
cpe:2.3:a:open-emr:openemr:7.0.2.1
-
cpe:2.3:a:open-emr:openemr:7.0.2.2
-
cpe:2.3:a:open-emr:openemr:7.0.2.3
-
cpe:2.3:a:open-emr:openemr:7.0.3
-
cpe:2.3:a:open-emr:openemr:7.0.3.1
-
cpe:2.3:a:open-emr:openemr:7.0.3.2
-
cpe:2.3:a:open-emr:openemr:7.0.3.3
-
cpe:2.3:a:open-emr:openemr:7.0.3.4
-
cpe:2.3:a:open-emr:openemr:7.0.4
-
cpe:2.3:a:open-emr:openemr:7.3.0