CVE-2026-33931

Exploit

EPSS 0.04%
Veröffentlicht 25.03.2026 23:36:48
Zuletzt bearbeitet 26.03.2026 16:29:06
Quelle security-advisories@github.com
CVE-Watchlists
Login
Unerledigt
Login

OpenEMR is a free and open source electronic health records and medical practice management application. Prior to version 8.0.0.3, an Insecure Direct Object Reference (IDOR) vulnerability in the patient portal payment page allows any authenticated portal patient to access other patients' payment records — including invoice/billing data (PHI) and payment card metadata — by manipulating the `recid` query parameter in `portal/portal_payment.php`. Version 8.0.0.3 patches the issue.

Betroffene Produkte Warnungen 0 Metriken 2 CWE 1 Referenzen 6

Verknüpft mit AI von unstrukturierten Daten zu bestehenden CPE der NVD

Diese Information steht angemeldeten Benutzern zur Verfügung.

Daten sind bereitgestellt durch National Vulnerability Database (NVD)

Open-emr ≫ Openemr Version < 8.0.0.3

Zu dieser CVE wurde keine CISA KEV oder CERT.AT-Warnung gefunden.

EPSS Metriken
Typ	Quelle	Score	Percentile
EPSS	FIRST.org	0.04%	0.123

CVSS Metriken
Quelle	Base Score	Exploit Score	Impact Score	Vector String
security-advisories@github.com	6.5	2.8	3.6	CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N

CWE-639 Authorization Bypass Through User-Controlled Key

The system's authorization functionality does not prevent one user from gaining access to another user's data or record by modifying the key value identifying the data.

https://github.com/openemr/openemr/releases/tag/v8_0_0_3

Product

https://github.com/openemr/openemr/security/advisories/GHSA-hf37-5rp9-j27j

Vendor Advisory

Exploit

https://github.com/openemr/openemr/commit/7bf30e0ec5587f80c19094d58df09d46ac328806

Patch

https://nvd.nist.gov/vuln/detail/CVE-2026-33931

CVE Source (NVD)

https://cveawg.mitre.org/api/cve/CVE-2026-33931

CVE Source (JSON)

https://euvd.enisa.europa.eu/vulnerability/CVE-2026-33931

EUVD

Team-orientierte Vulnerability Management Plattform

Features der Plattform

CVE-2026-33931