AISLE Finds 38 CVEs in OpenEMR, Software Used by 100K Providers

AISLE found 38 CVEs in OpenEMR during Q1 2026. That's more than a dedicated human team uncovered in a 2018 audit that made international headlines. For context, OpenEMR is an open-source electronic health record platform. It's used by over 100,000 medical providers serving more than 200 million patients across 34 languages. The recently released OpenEMR 8.0 is ONC-certified under U.S. federal Health IT certification standards.

The bugs were serious. Several hit CVSS 10.0, the maximum severity score. SQL injection flaws in the Patient REST API and Immunization module could've let attackers extract credential hashes. Read arbitrary database tables. Even achieve remote code execution. A FHIR Patient Compartment Bypass meant authenticated users could see care team data for every patient in the system. They shouldn't have had access. The root cause was surprisingly simple: a PHP class never declared the right interface, so a patient-scoping filter wasn't applied.

AISLE researchers Stanislav Fort, Petr Simecek, and Pavel Kohout worked with OpenEMR maintainers to fix everything. AISLE generated patch proposals for all 38 CVEs. In some cases, like the critical SQL injection CVE-2026-23627, the fix shipped exactly as AISLE wrote it. The bulk of patches landed in OpenEMR 8.0.0 on February 11, 2026, roughly four weeks after initial disclosure. The partnership's now formalized. AISLE PRO is integrated into OpenEMR's code review workflow, catching vulnerabilities before they reach production.

Hacker News commenters had a predictable reaction: these are basic vulnerabilities. SQL injection and cross-site scripting are security 101. But that's the point. Software that 200 million patients depend on had 38 of these basic flaws, some scoring perfect 10.0 severity. If an AI scanner can find them in weeks while human auditors found fewer over longer periods, we shouldn't be debating whether the bugs are basic. We should be asking why critical infrastructure still relies on periodic manual audits instead of continuous automated analysis. Mozilla's Mythos AI identified 271 security bugs in Firefox, a case where automated scanning proved far faster than human analysis.