AISLE Finds 38 Bugs in OpenEMR Medical Records Platform

AISLE just found 38 security vulnerabilities in OpenEMR, one of the world's most widely used open-source electronic health record platforms. The software runs at over 100,000 medical providers serving 200 million patients. The flaws included SQL injection bugs rated CVSS 10.0 that could have let attackers dump entire databases of protected health information, execute code on servers, or bypass patient-scoped access controls in the FHIR API.

These weren't exotic zero-days. Several involved basic mistakes like concatenating user input directly into SQL queries with no validation or parameterization. The Patient REST API's sort parameter and the Immunization module's search function both had this issue. A single UNION SELECT payload could extract credential hashes or arbitrary table contents. If the database user had FILE privileges, an attacker could write a web shell and own the server.

AISLE's researchers, Stanislav Fort, Petr Simecek, and Pavel Kohout, started analyzing OpenEMR in December 2025. They reported the first batch of findings in January 2026. By February, OpenEMR 8.0.0 shipped with fixes for the bulk of the issues. The speed matters. For comparison, the previous major independent audit in 2018 turned up 23 vulnerabilities after an extended manual research effort. AISLE's autonomous analyzer found 38 in a single quarter.

The bigger story for the agent space is what happened after the findings. AISLE generated fix proposals for every CVE, writing patches that reused OpenEMR's own code patterns and sanitization helpers. AISLE wrote the patch for the most critical bug on its own.

Now AISLE PRO runs inside OpenEMR's code review workflow, catching vulnerabilities before they reach production. Brady Miller, MD, Executive Director of the OpenEMR Foundation, confirmed the integration is already working. Healthcare software has bugs. We knew that. An AI agent found dozens, proposed fixes, and embedded itself in the development process to stop the next batch from shipping.

AISLE's work demonstrates that AI-powered cybersecurity is becoming increasingly capable, finding vulnerabilities that previously required extensive manual effort. In fact, AISLE's research found that even smaller models can detect zero-days, challenging the assumption that only massive AI systems can find security flaws.