SSRF in Openemr

CVE-2026-33321

OpenEMR is a free and open source electronic health records and medical practice management application. Prior to 8.0.0.2, users with the `Notes - my encounters` role can fill Eye Exam forms in patient encounters. The answers to the form c…

Vulnerability class: SSRF (Server-Side Request Forgery)

EPSS: 0.001 (33.8th percentile) — read the EPSS interpretation.

Affected products

Openemr — versions < 8.0.0.2

Weakness classification (CWE)

CWE-918 — Server-Side Request Forgery (SSRF)

References

https://github.com/openemr/openemr/security/advisories/GHSA-5pc3-2crw-96rv (x_refsource_CONFIRM)
https://github.com/openemr/openemr/commit/dccc962f06bdf6105ca85c277915167caf3e7c28 (x_refsource_MISC)