CVE-2025-68277
Received Received - Intake
Phishing Vulnerability in OpenEMR Secure Messaging Links

Publication date: 2026-02-25

Last updated on: 2026-02-25

Assigner: GitHub, Inc.

Description
OpenEMR is a free and open source electronic health records and medical practice management application. Prior to version 7.0.4, when a link is sent via Secure Messaging, clicking the link opens the website within the OpenEMR/Portal site. This behavior could be exploited for phishing. Version 7.0.4 patches the issue.
CVSS Scores
EPSS Scores
Probability:
Percentile:
Meta Information
Published
2026-02-25
Last Modified
2026-02-25
Generated
2026-06-16
AI Q&A
2026-02-25
EPSS Evaluated
2026-06-15
NVD
CVE-2025-68277
EUVD
EUVD-2025-208105
Affected Vendors & Products
Showing 1 associated CPE
Vendor Product Version / Range
open-emr openemr to 7.0.4 (exc)
Helpful Resources
Exploitability
CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-451 The user interface (UI) does not properly represent critical information to the user, allowing the information - or its source - to be obscured or spoofed. This is often a component in phishing attacks.
Attack-Flow Graph
AI Quick Actions
Instant insights powered by AI
Executive Summary

CVE-2025-68277 is a vulnerability in OpenEMR versions prior to 7.0.4 related to the Secure Messaging feature. When a user sends a link via Secure Messaging, clicking the link opens the linked website within the OpenEMR/Portal interface instead of an external browser window.

This behavior can be exploited for phishing attacks because malicious links can appear to be part of the trusted OpenEMR environment, deceiving users into interacting with harmful sites.

The root cause is related to the sanitization process of HTML content in messages, where the DOMPurify library was configured to sanitize HTML but still allowed anchor tags with href attributes, enabling links to open internally.

The issue was fixed in OpenEMR version 7.0.4 by enhancing the sanitization to explicitly forbid anchor and image tags, preventing malicious links from being rendered or converted to text.

Impact Analysis

This vulnerability can be exploited to conduct phishing attacks within the OpenEMR environment by making malicious links appear as if they are part of the trusted portal.

An attacker with low privileges and requiring user interaction can trick users into clicking harmful links that open inside the OpenEMR interface, increasing the likelihood of successful deception.

The impact includes high confidentiality and integrity risks to both the vulnerable system and any subsequent systems, with a moderate impact on availability.

Compliance Impact

I don't know

Detection Guidance

This vulnerability involves the Secure Messaging feature in OpenEMR versions prior to 7.0.4, where links sent via messaging open within the OpenEMR/Portal interface instead of an external browser. Detection involves verifying the OpenEMR version and observing the behavior of links in Secure Messaging.

  • Check the OpenEMR version to confirm if it is prior to 7.0.4.
  • Test sending a link via Secure Messaging and observe if clicking the link opens the website inside the OpenEMR portal rather than an external browser.
  • Review the portal messaging PHP file (`portal/messaging/messages.php`) for the presence or absence of the updated sanitization code that forbids <a> and <img> tags.

Specific commands are not provided in the available resources.

Mitigation Strategies

The primary mitigation is to upgrade OpenEMR to version 7.0.4 or later, where the vulnerability has been patched.

The patch involves enhancing the sanitization of HTML content in Secure Messaging by forbidding <a> and <img> tags, preventing malicious links from opening inside the portal.

As an interim measure, avoid clicking links sent via Secure Messaging or instruct users to open links in an external browser manually.

Chat Assistant
Ask questions about this CVE
Hi! I’m here to help you understand CVE-2025-68277. Ask me anything about the vulnerability, its impact, or mitigation strategies.
0/70
EPSS Chart