The OpenEMR software, widely used for electronic health records and medical practice management, has been found to have three critical code vulnerabilities that can be combined to gain pre-auth command execution in the Patient Portal of OpenEMR 5.0.2.1 when targeting an administrator user. The vulnerabilities include a Command Injection vulnerability, a Persistent Cross-Site Scripting (XSS) vulnerability, and an Insecure API Permissions vulnerability. These vulnerabilities can lead to the compromise of sensitive patient data or critical infrastructure if exploited by a remote attacker. An OpenEMR team patch was released after the discovery of these issues, addressing the first two vulnerabilities but not the third one until version 5.0.2.2. Users hosting an OpenEMR instance are recommended to update their installation immediately to protect against potential attacks.