Blind SQL Injection in OpenEMR's PostCalendar Module
CVE-2026-33914

7.2HIGH

Key Information:

Vendor

Openemr

Status
Openemr
Vendor
CVE Published:
25 March 2026

What is CVE-2026-33914?

The PostCalendar module in OpenEMR, an open-source electronic health records and management system, has a critical flaw causing blind SQL injection through the categoriesUpdate administrative function. Prior to the release of version 8.0.0.3, the dels POST parameter was processed unsafely, as it was only stripped of HTML tags without any SQL escaping. This oversight allowed attackers to interpolate arbitrary values into a raw SQL DELETE statement, jeopardizing the security of the application. Version 8.0.0.3 addresses this vulnerability, ensuring safer handling of user inputs.

Affected Version(s)

openemr < 8.0.0.3

References

https://github.com/openemr/openemr/security/advisories/GH...
x_refsource_CONFIRM
https://github.com/openemr/openemr/commit/1b851fc9af84f18...
x_refsource_MISC
https://github.com/openemr/openemr/releases/tag/v8_0_0_3
x_refsource_MISC

CVSS V3.1

Score:
7.2
Severity:
HIGH
Confidentiality:
High
Integrity:
High
Availability:
High
Attack Vector:
Network
Attack Complexity:
Low
Privileges Required:
High
User Interaction:
None
Scope:
Unchanged

Timeline

  • Vulnerability published

  • Vulnerability Reserved

.