CVE-2026-25746

HighPublic PoC

Published: 25 February 2026

Published

25 February 2026

Modified

27 February 2026

KEV Added

—

Patch

—

CVSS Score 8.8 CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H

EPSS Score 0.0000 0.1th percentile

Risk Priority 18 60% EPSS · 20% KEV · 20% CVSS

Summary

CVE-2026-25746 is a high-severity SQL Injection (CWE-89) vulnerability in Open-Emr Openemr. Its CVSS base score is 8.8 (High).

Operationally, exploitation aligns with the MITRE ATT&CK technique Exploit Public-Facing Application (T1190); ranked at the 0.1th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog; a public proof-of-concept is referenced.

The strongest mitigations our analysis identified are NIST 800-53 SI-10 (Information Input Validation) and SI-2 (Flaw Remediation).

Threat & Defense at a Glance

What attackers do: exploitation maps to Exploit Public-Facing Application (T1190) and 2 other techniques. What defenders deploy: see the NIST 800-53 controls recommended below.

Threat & Defense Details

Mitigating Controls (NIST 800-53 r5)AI

SI-10 Information Input Validation good match

prevent

Directly requires validating user inputs to the prescription listing functionality to block SQL injection exploitation.

SI-2 Flaw Remediation good match

prevent

Mandates timely flaw remediation by patching to OpenEMR version 8.0.0, which fixes the input validation deficiency.

SI-9 Information Input Restrictions partial match

prevent

Enforces input restrictions such as character sets and lengths to restrict malicious SQL payloads in prescription queries.

MITRE ATT&CK Enterprise TechniquesAI

T1190 Exploit Public-Facing Application Initial Access

Adversaries may attempt to exploit a weakness in an Internet-facing host or system to initially access a network.

attack.mitre.org →

T1213.006 Databases Collection

Adversaries may leverage databases to mine valuable information.

attack.mitre.org →

T1565.001 Stored Data Manipulation Impact

Adversaries may insert, delete, or manipulate data at rest in order to influence external outcomes or hide activity, thus threatening the integrity of the data.

attack.mitre.org →

Why these techniques?

SQL injection in public-facing OpenEMR web app directly enables T1190 exploitation for initial access; facilitates unauthorized DB queries for data exfiltration (T1213.006) and record modification (T1565.001).

Confidence: HIGH · MITRE ATT&CK Enterprise v18.1

NVD Description

OpenEMR is a free and open source electronic health records and medical practice management application. Versions prior to 8.0.0 contain a SQL injection vulnerability in prescription that can be exploited by authenticated attackers. The vulnerability exists due to insufficient input…

validation in the prescription listing functionality. Version 8.0.0 fixes the vulnerability.

Deeper analysisAI

CVE-2026-25746 is a SQL injection vulnerability (CWE-89) affecting OpenEMR, a free and open source electronic health records and medical practice management application. The flaw exists in the prescription listing functionality due to insufficient input validation and impacts all versions prior to 8.0.0. Published on 2026-02-25, it carries a CVSS v3.1 base score of 8.8 (AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H), indicating high severity with network accessibility, low attack complexity, and significant impacts on confidentiality, integrity, and availability.

Authenticated attackers with low privileges can exploit this vulnerability remotely over the network without user interaction. By injecting malicious SQL payloads into the prescription listing interface, they can manipulate database queries, potentially extracting sensitive patient data, modifying records, or disrupting service availability.

Mitigation is addressed in OpenEMR version 8.0.0, which resolves the input validation issue. Relevant code locations include library/classes/Controller.class.php (line 77), controller.php (line 6), controllers/C_Prescription.class.php (line 180), and library/classes/Prescription.class.php (line 1148), as detailed in the project's GitHub repository. A proof-of-concept is available at https://github.com/ChrisSub08/CVE-2026-25746_SqlInjectionVulnerabilityOpenEMR7.0.4.

Details

CWE(s): CWE-89

Affected Products

open-emr

openemr

≤ 8.0.0

CVEs Like This One

CVE-2026-33917Same product: Open-Emr Openemr

CVE-2026-29187Same product: Open-Emr Openemr

CVE-2026-32127Same product: Open-Emr Openemr

CVE-2026-33910Same product: Open-Emr Openemr

CVE-2026-23627Same product: Open-Emr Openemr

CVE-2026-33914Same product: Open-Emr Openemr

CVE-2026-24908Same product: Open-Emr Openemr

CVE-2026-34053Same product: Open-Emr Openemr

CVE-2026-32123Same product: Open-Emr Openemr

CVE-2026-24890Same product: Open-Emr Openemr

References

https://github.com/ChrisSub08/CVE-2026-25746_SqlInjectionVulnerabilityOpenEMR7.0.4
Exploit, Third Party Advisory · security-advisories@github.com
https://github.com/openemr/openemr/blob/2b46e594b9dd665fb7f16c913ca07f5c6d54412b/library/classes/Controller.class.php#L77
Product · security-advisories@github.com
https://github.com/openemr/openemr/blob/9fa8db9f12d0b70985195b11b90f2dc564bd3b24/controller.php#L6
Product · security-advisories@github.com
https://github.com/openemr/openemr/blob/9fa8db9f12d0b70985195b11b90f2dc564bd3b24/controllers/C_Prescription.class.php#L180
Product · security-advisories@github.com
https://github.com/openemr/openemr/blob/9fa8db9f12d0b70985195b11b90f2dc564bd3b24/library/classes/Prescription.class.php#L1148
Product · security-advisories@github.com
https://github.com/openemr/openemr/commit/e230d3ef46425ffc96a37dc6369428aa37c88554
Patch · security-advisories@github.com
https://github.com/openemr/openemr/security/advisories/GHSA-78r7-g65p-gpw3
Exploit, Vendor Advisory · security-advisories@github.com