CVE-2026-27943 - OpenEMR's Eye Exam View Trusts form_id Without Verifying Patient/Encounter Owner...

CVE ID : CVE-2026-27943 Published : Feb. 26, 2026, 2:16 a.m. | 50 minutes ago Description : OpenEMR is a free and open source electronic health records and medical practice management application. In versions up to and including 8.0.0, the eye exam (eye_mag) view loads data by `form_id` (or equivalent) without verifying that the form belongs to the current user’s patient/encounter context. An authenticated user can access or edit any patient’s eye exam by supplying another form ID; in some flows the session’s active patient may also be switched. A fix is available on the `main` branch of the OpenEMR GitHub repository. Severity: 6.5 | MEDIUM Visit the link for more details, such as CVSS details, affected products, timeline, and more...