CVE-2026-24847

OpenEMR is a free and open source electronic health records and medical practice management application. Prior to version 8.0.0, the Eye Exam form module allows any authenticated user to be redirected to an arbitrary external URL. This can be exploited for phishing attacks against healthcare providers using OpenEMR. Version 8.0.0 fixes the issue.

CVSS v3 6.1 MEDIUM

6.1^/10

CVSS v3 : MEDIUM

Vector :

Exploitability : 2.8 / Impact : 2.7

Attack Vector NETWORK

Attack Complexity LOW

Privileges Required NONE

User Interaction REQUIRED

Confidentiality Impact LOW

Integrity Impact LOW

Availability Impact NONE

Scope CHANGED

References

Link	Resource
https://github.com/openemr/openemr/commit/b924459bb5b2844f8f5d3d6cedd2e854eda20aad	Patch
https://github.com/openemr/openemr/security/advisories/GHSA-6f42-6q2r-fc2h	Exploit Vendor Advisory

Configurations

Configuration 1 (hide)

cpe:2.3:a:open-emr:openemr:*:*:*:*:*:*:*:*

History

No history.

Information

Published : 2026-02-25 02:16

Updated : 2026-02-26 15:33

NVD link : CVE-2026-24847

Mitre link : CVE-2026-24847

CVE.ORG link : CVE-2026-24847

JSON object : View

Products Affected

open-emr

openemr

CWE

CWE-601

URL Redirection to Untrusted Site ('Open Redirect')

{"id": "CVE-2026-24847", "cveTags": [], "metrics": {"cvssMetricV31": [{"type": "Secondary", "source": "security-advisories@github.com", "cvssData": {"scope": "CHANGED", "version": "3.1", "baseScore": 6.1, "attackVector": "NETWORK", "baseSeverity": "MEDIUM", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N", "integrityImpact": "LOW", "userInteraction": "REQUIRED", "attackComplexity": "LOW", "availabilityImpact": "NONE", "privilegesRequired": "NONE", "confidentialityImpact": "LOW"}, "impactScore": 2.7, "exploitabilityScore": 2.8}]}, "published": "2026-02-25T02:16:22.027", "references": [{"url": "https://github.com/openemr/openemr/commit/b924459bb5b2844f8f5d3d6cedd2e854eda20aad", "tags": ["Patch"], "source": "security-advisories@github.com"}, {"url": "https://github.com/openemr/openemr/security/advisories/GHSA-6f42-6q2r-fc2h", "tags": ["Exploit", "Vendor Advisory"], "source": "security-advisories@github.com"}], "vulnStatus": "Analyzed", "weaknesses": [{"type": "Primary", "source": "security-advisories@github.com", "description": [{"lang": "en", "value": "CWE-601"}]}], "descriptions": [{"lang": "en", "value": "OpenEMR is a free and open source electronic health records and medical practice management application. Prior to version 8.0.0, the Eye Exam form module allows any authenticated user to be redirected to an arbitrary external URL. This can be exploited for phishing attacks against healthcare providers using OpenEMR. Version 8.0.0 fixes the issue."}, {"lang": "es", "value": "OpenEMR es una aplicaci\u00f3n gratuita y de c\u00f3digo abierto para registros de salud electr\u00f3nicos y gesti\u00f3n de consultorios m\u00e9dicos. Antes de la versi\u00f3n 8.0.0, el m\u00f3dulo del formulario de Examen Ocular permite a cualquier usuario autenticado ser redirigido a una URL externa arbitraria. Esto puede ser explotado para ataques de phishing contra proveedores de atenci\u00f3n m\u00e9dica que utilizan OpenEMR. La versi\u00f3n 8.0.0 corrige el problema."}], "lastModified": "2026-02-26T15:33:56.017", "configurations": [{"nodes": [{"negate": false, "cpeMatch": [{"criteria": "cpe:2.3:a:open-emr:openemr:*:*:*:*:*:*:*:*", "vulnerable": true, "matchCriteriaId": "FEAA9896-A42E-437C-BEE8-8DA955E34385", "versionEndExcluding": "8.0.0"}], "operator": "OR"}]}], "sourceIdentifier": "security-advisories@github.com"}