{"resultsPerPage":1,"startIndex":0,"totalResults":1,"format":"NVD_CVE","version":"2.0","timestamp":"2026-05-14T06:00:31.370","vulnerabilities":[{"cve":{"id":"CVE-2026-25927","sourceIdentifier":"security-advisories@github.com","published":"2026-02-25T19:43:22.757","lastModified":"2026-02-27T14:40:46.690","vulnStatus":"Analyzed","cveTags":[],"descriptions":[{"lang":"en","value":"OpenEMR is a free and open source electronic health records and medical practice management application. Prior to version 8.0.0,  the DICOM viewer state API (e.g. upload or state save/load) accepts a document ID (`doc_id`) without verifying that the document belongs to the current user’s authorized patient or encounter. An authenticated user can read or modify DICOM viewer state (e.g. annotations, view settings) for any document by enumerating document IDs. Version 8.0.0 fixes the issue."},{"lang":"es","value":"OpenEMR es una aplicación de código abierto y gratuita para la gestión de registros médicos electrónicos y consultorios médicos. Antes de la versión 8.0.0, la API de estado del visor DICOM (por ejemplo, carga o guardar/cargar estado) acepta un ID de documento ('doc_id') sin verificar que el documento pertenezca al paciente o encuentro autorizado del usuario actual. Un usuario autenticado puede leer o modificar el estado del visor DICOM (por ejemplo, anotaciones, configuraciones de vista) para cualquier documento al enumerar los ID de documento. La versión 8.0.0 corrige el problema."}],"metrics":{"cvssMetricV31":[{"source":"security-advisories@github.com","type":"Secondary","cvssData":{"version":"3.1","vectorString":"CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:L/A:N","baseScore":7.1,"baseSeverity":"HIGH","attackVector":"NETWORK","attackComplexity":"LOW","privilegesRequired":"LOW","userInteraction":"NONE","scope":"UNCHANGED","confidentialityImpact":"HIGH","integrityImpact":"LOW","availabilityImpact":"NONE"},"exploitabilityScore":2.8,"impactScore":4.2}]},"weaknesses":[{"source":"security-advisories@github.com","type":"Primary","description":[{"lang":"en","value":"CWE-639"}]}],"configurations":[{"nodes":[{"operator":"OR","negate":false,"cpeMatch":[{"vulnerable":true,"criteria":"cpe:2.3:a:open-emr:openemr:*:*:*:*:*:*:*:*","versionEndExcluding":"8.0.0","matchCriteriaId":"FEAA9896-A42E-437C-BEE8-8DA955E34385"}]}]}],"references":[{"url":"https://github.com/openemr/openemr/security/advisories/GHSA-qj9f-x7v2-hrr7","source":"security-advisories@github.com","tags":["Exploit","Vendor Advisory"]}]}}]}