प्लेटफ़ॉर्म
php
घटक
openemr
में ठीक किया गया
8.0.1
CVE-2026-24908 is a critical SQL injection vulnerability affecting OpenEMR versions prior to 8.0.0. An attacker can exploit this flaw to execute arbitrary SQL queries through the Patient REST API endpoint, potentially gaining unauthorized access to sensitive data. This vulnerability impacts OpenEMR installations running versions 8.0.0 and earlier, and a patch is available in version 8.0.0.
The SQL injection vulnerability in OpenEMR allows authenticated users with API access to bypass security controls and directly manipulate the database. An attacker could leverage this to extract Protected Health Information (PHI), including patient records, medical history, and billing details. Furthermore, successful exploitation could lead to credential compromise, allowing the attacker to gain persistent access to the OpenEMR system and potentially escalate privileges. The potential for data breaches and regulatory non-compliance makes this a high-impact vulnerability, particularly given the sensitive nature of healthcare data.
CVE-2026-24908 was publicly disclosed on 2026-02-25. The vulnerability's severity and potential impact suggest a medium probability of exploitation. While no public proof-of-concept (PoC) code has been released as of this writing, the ease of exploitation inherent in SQL injection vulnerabilities increases the likelihood of exploitation attempts. Monitor OpenEMR logs for suspicious SQL queries.
Healthcare providers and organizations utilizing OpenEMR, particularly those relying on the Patient REST API for data access and integration, are at significant risk. Shared hosting environments where multiple OpenEMR instances reside on the same server are also vulnerable, as a compromise of one instance could potentially impact others.
• linux / server:
journalctl -u openemr | grep -i "SQL injection"• generic web:
curl -I 'https://<openemr_host>/api/patient?_sort='; # Check for unusual response headers or errors• database (mysql):
mysql -u <openemr_user> -p -e "SHOW TABLES LIKE 'patient%';"disclosure
patch
एक्सप्लॉइट स्थिति
EPSS
0.00% (0% शतमक)
CISA SSVC
CVSS वेक्टर
The primary mitigation for CVE-2026-24908 is to upgrade OpenEMR to version 8.0.0 or later, which includes the necessary fix. If immediate upgrading is not possible, consider implementing temporary workarounds such as restricting API access to authorized users only and carefully validating all user-supplied input. Web Application Firewalls (WAFs) configured to detect and block SQL injection attempts can also provide an additional layer of defense. After upgrading, confirm the fix by attempting to inject a simple SQL query through the Patient REST API endpoint and verifying that it is properly sanitized.
OpenEMR को संस्करण 8.0.0 या उच्चतर में अपडेट करें। यह संस्करण रोगी API में SQL इंजेक्शन भेद्यता (vulnerability) को ठीक करता है। अपडेट मनमाना SQL क्वेरी (queries) के निष्पादन और संभावित रूप से संवेदनशील जानकारी के एक्सपोजर को रोकेगा।
भेद्यता विश्लेषण और गंभीर अलर्ट सीधे आपके ईमेल में।
CVE-2026-24908 is a critical SQL injection vulnerability in OpenEMR versions prior to 8.0.0, allowing attackers to execute SQL queries through the Patient REST API.
You are affected if you are running OpenEMR versions 8.0.0 or earlier and have not yet upgraded.
Upgrade OpenEMR to version 8.0.0 or later to remediate the vulnerability. Consider temporary workarounds if immediate upgrading is not possible.
While no public exploitation is confirmed, the vulnerability's severity and ease of exploitation suggest a potential for active exploitation.
Refer to the official OpenEMR security advisory for detailed information and updates: [https://openemr.org/security/](https://openemr.org/security/)
अपनी डिपेंडेंसी फ़ाइल अपलोड करें और तुरंत जानें कि यह CVE और अन्य आपको प्रभावित करती हैं या नहीं।