AISLE Discovers 38 CVEs in Healthcare Software Used by 100,000 Medical Providers

Author

Stanislav Fort

Date Published

April 28, 2026 OpenEMR - blog hero (1)

On this page

The Findings at a Glance
Notable Findings
CVE-2026-24908: SQL Injection in Patient REST API Sort Parameter
CVE-2026-23627: SQL Injection in Immunization Search/Report
CVE-2026-24487: FHIR Patient Compartment Bypass in CareTeam
Autonomous Issue Fixes
A Partnership for Patient Safety
From Disclosure to Prevention with AISLE
Full Advisory List
Missing or incorrect authorization
Cross-site scripting
SQL injection, path traversal, and session flaws

Cross-site scripting

User-controlled data was rendered into HTML or JavaScript without proper encoding, allowing an attacker to inject code that would run in another user's browser session. Several of these crossed the trust boundary between the patient portal and the clinical staff interface, meaning a patient could inject code that would execute in a clinician's or administrator's session.

Title	Severity	Weakness	CVE
Stored DOM XSS via .html() in Portal Signer Modal	High	Cross-site Scripting	CVE-2026-32121
Stored XSS in CCDA Preview via linkHtml	High	Cross-site Scripting	CVE-2026-33932
Stored XSS in Portal Payment via table_args	High	Cross-site Scripting	CVE-2026-33346
Stored XSS in Track Anything Graphs	Medium	Cross-site Scripting	CVE-2026-32125
Stored XSS in Graphical Pain Map	Medium	Cross-site Scripting	CVE-2026-32118
Stored XSS in Dynamic Code Picker	Medium	Cross-site Scripting	CVE-2026-32124
Reflected XSS in Custom Template Editor	Medium	Cross-site Scripting	CVE-2026-33933
Stored XSS via Portal Login Username	Medium	Cross-site Scripting	CVE-2026-33303
Stored DOM XSS via SearchHighlight	Medium	Cross-site Scripting	CVE-2026-32119

SQL injection, path traversal, and session flaws

These included SQL injections (user input was concatenated directly into SQL queries without proper sanitization), an insufficient session expiration issue, and path traversals (user-controlled file paths were not restricted to the intended directory, enabling arbitrary file reads or writes on the server).

Title	Severity	Weakness	CVE
SQL injection in patient API sort parameter	Critical	SQL Injection	CVE-2026-24908
SQL Injection in Immunization Search/Report	Critical	SQL Injection	CVE-2026-23627
Session Timeout Bypass via skip_timeout_reset	High	Insufficient Session Expiration	CVE-2026-25476
Arbitrary File Exfiltration via Fax Endpoint	Medium	Path Traversal	CVE-2026-24488
Path Traversal When Zipping DICOM Folders	Medium	Path Traversal	CVE-2026-25928

Our deepest appreciation goes to the OpenEMR maintainers for their professional collaboration. All issues were discovered using the AISLE AI analyzer and responsibly disclosed by Pavel Kohout, Petr Simecek, and Stanislav Fort.

AISLE Discovers 38 CVEs in OpenEMR Healthcare Software

AISLE Discovers 38 CVEs in Healthcare Software Used by 100,000 Medical Providers

Cross-site scripting

SQL injection, path traversal, and session flaws