OpenEMR has a SQL Injection Vulnerability in patient selection

7.2 / 10

HIGH

CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H

Description

OpenEMR is a free and open source electronic health records and medical practice management application. Versions up to and including 8.0.0.2 contain a SQL injection vulnerability in the patient selection feature that can be exploited by authenticated attackers. The vulnerability exists due to insufficient input validation in the patient selection feature. Version 8.0.0.3 contains a patch.

Basic Information

ID CVE-2026-33910

Source GitHub_M

Published Mar 25, 2026 at 22:41

Modified Mar 26, 2026 at 19:52

Affected Product

Vendor openemr

Product openemr

Version < 8.0.0.3

Affected Versions openemr openemr < 8.0.0.3

CWE Classification

CWE-89

References

{
    "lastseen": "",
    "description": "OpenEMR is a free and open source electronic health records and medical practice management application. Versions up to and including 8.0.0.2 contain a SQL injection vulnerability in the patient selection feature that can be exploited by authenticated attackers. The vulnerability exists due to insufficient input validation in the patient selection feature. Version 8.0.0.3 contains a patch.",
    "published": "2026-03-25T22:41:02.472Z",
    "modified": "2026-03-26T19:52:11.910Z",
    "type": "cve",
    "title": "OpenEMR has a SQL Injection Vulnerability in patient selection",
    "source": "GitHub_M",
    "references": "https://github.com/openemr/openemr/security/advisories/GHSA-x32c-xj5g-7jx7\nhttps://github.com/openemr/openemr/commit/73db3264aed253684532839380cae3b0a56c83d2\nhttps://github.com/openemr/openemr/releases/tag/v8_0_0_3",
    "id": "CVE-2026-33910",
    "bulletinFamily": "",
    "cwe": [
        "CWE-89"
    ],
    "cvelist": null,
    "sourceData": "openemr openemr < 8.0.0.3",
    "sourceHref": "",
    "cvss": {
        "score": 7.2,
        "severity": "HIGH",
        "vector": "CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H",
        "version": "3.1"
    },
    "cvss2": [],
    "cvss3": {
        "version": "",
        "vectorString": "",
        "baseScore": 0,
        "baseSeverity": "",
        "attackVector": "",
        "attackComplexity": "",
        "privilegesRequired": "",
        "userInteraction": "",
        "scope": "",
        "confidentialityImpact": "",
        "integrityImpact": "",
        "availabilityImpact": "",
        "cvssV3": {
            "version": "",
            "vectorString": "",
            "baseScore": 0,
            "baseSeverity": "",
            "attackVector": "",
            "attackComplexity": "",
            "privilegesRequired": "",
            "userInteraction": "",
            "scope": "",
            "confidentialityImpact": "",
            "integrityImpact": "",
            "availabilityImpact": ""
        }
    },
    "href": "",
    "category_name": "CVE",
    "post_link": "",
    "product": "openemr",
    "version": "< 8.0.0.3",
    "vendor": "openemr",
    "ai_description": "",
    "ai_severity": "",
    "ai_vendor": "",
    "ai_product": "",
    "ai_version": "",
    "ai_score": 0
}

OpenEMR has a SQL Injection Vulnerability in patient selection_CVE-2026-33910