AISLE finds 38 OpenEMR flaws

Electronic medical record software is the kind of infrastructure nobody notices until it breaks. But when it breaks, the blast radius is huge — pa(aisle.com) AISLE said this week that its AI-based analyzer found 38 CVEs in OpenEMR during the first quarter of 2026, and the project’s maintainers patched them before any known real-world abuse. (aisle.com) ### What is OpenEMR, exactly? OpenEMR is a widely used open-source electronic medical record(aisle.com)penEMR 8.0 also shipped in February 2026 with U.S. federal health IT certification, which tells you this is not some hobby project sitting on the edge of the market. (aisle.com) ### What happened this week? AISLE published the disclosure on April 28, 2026. The company says its researchers — Stanislav Fort, Petr Simecek, and Pavel Kohout — applied the (aisle.com)ished in that quarter. One related count is easy to miss but important: AISLE also says there were 39 GitHub Security Advisory issues in total, with 38 of them receiving CVE IDs. (aisle.com) ### Why are people focusing on the number 38? Because 38 is not just a big tall(aisle.com)ld enable database compromise, remote code execution, and data theft. AISLE frames the result as a speed comparison too: a prominent 2018 human-led audit disclosed 23 OpenEMR vulnerabilities after a longer effort, while this run found 38 in one quarter. (darkreading.com) ### What were the worst bugs? The headline issues were two maximum-severity CVSS 10.0 flaws. One was a SQL injection bug in the Pat(aisle.com)at field in affected versions before 8.0.0. AISLE says SQL injection combined with modest database privileges could have snowballed into full database compromise, large-scale PHI theft, and even remote code execution on the server. (github.com) ### Were these all classic “hacker breaks in from outside” bugs? Not really. A lot of the advisory trail points to broken access control, insecure di(darkreading.com)-in users too much. GitHub advisories from March show examples where authenticated users could reach patient documents and insurance data without the right ACLs, alter insurance company records, read other patients’ payment records, or access staff signature images from the patient portal. That is less cinematic than a wormable bug, but in healthcare it is brutally practical. (github.com) ### So was AI doing the hacking? (github.com)tool as an autonomous analyzer that scans code, surfaces likely exploit paths, and helps researchers turn those leads into disclosures. The important claim here is not “AI magically secured healthcare.” It is that AI may now be good enough to compress the time between bug existing, bug being found, and bug being fixed. (aisle.com) ### What is the catch? The catch is that defenders are not the only ones getting faster. AISLE itself opens with that point — attackers are using AI too. So this story is encou(github.com)ckly in a mature medical platform, an offensive team probably can too. (aisle.com) ### Bottom line? This is really a story about timing. OpenEMR got dozens of dangerous bugs fixed before known exploitation, and that is the win. But the deeper message is harsher — healthcare software is still carrying a lot of quiet, high-impact security debt, and AI is turning the race to find it into a sprint. (aisle.com)