SQL Injection Vulnerability in OpenEMR Healthcare Management Software
CVE-2026-33910

7.2HIGH

Key Information:

Vendor

Openemr

Status
Openemr
Vendor
CVE Published:
25 March 2026

What is CVE-2026-33910?

OpenEMR, a widely-used open source electronic health records and medical practice management application, is susceptible to a SQL injection vulnerability within its patient selection feature. This weakness arises from inadequate input validation, allowing authenticated attackers to manipulate database queries. If exploited, it could lead to unauthorized data access or alterations. Users are strongly encouraged to upgrade to version 8.0.0.3 or later, which includes critical patches addressing this vulnerability.

Affected Version(s)

openemr < 8.0.0.3

References

https://github.com/openemr/openemr/security/advisories/GH...
x_refsource_CONFIRM
https://github.com/openemr/openemr/commit/73db3264aed2536...
x_refsource_MISC
https://github.com/openemr/openemr/releases/tag/v8_0_0_3
x_refsource_MISC

CVSS V3.1

Score:
7.2
Severity:
HIGH
Confidentiality:
High
Integrity:
High
Availability:
High
Attack Vector:
Network
Attack Complexity:
Low
Privileges Required:
High
User Interaction:
None
Scope:
Unchanged

Timeline

  • Vulnerability published

  • Vulnerability Reserved

.