Home / Vulnerability Intelligence / CVE-2026-29187

CVE-2026-29187 - Vulnerability Analysis

HighCVSS: 8.1

Last Updated: March 26, 2026

OpenEMR - SQL Injection

Published: March 25, 2026Updated: March 26, 2026PoC AvailableRemote Exploitable

Overview

OpenEMR < 8.0.0.3 contains a blind SQL injection caused by manipulation of HTTP parameter keys in Patient Search functionality (/interface/new/new_search_popup.php), letting authenticated attackers execute arbitrary SQL commands.

Severity & Score

Severity: High

CVSS Score: 8.1

EPSS Score: 0.2%(Probability of exploitation in next 30 days)

Impact

Authenticated attackers can execute arbitrary SQL commands, potentially leading to data disclosure or modification.

Mitigation

Upgrade to version 8.0.0.3 or later.

References

Social Media Activity(1 post)

TheHackerWire

@thehackerwire

Mar 25, 2026

🟠 CVE-2026-29187 - High (8.1) OpenEMR is a free and open source electronic health records and medical practice management application. Prior to version 8.0.0.3, a Blind SQL Injection vulnerability exists in the Patient Search functionality (/interface/new/new_search_popup.php)... 🔗 https://www.thehackerwire.com/vulnerability/CVE-2026-29187/ #CVE #vulnerability #infosec #cybersecurity #security #Tenda #patchstack

View original post

GitHub Repositories(1 repo)

https://github.com/ChrisSub08/CVE-2026-29187_SqlInjectionVulnerabilityOpenEMR7.0.4

Related Resources

Details

CVE ID: CVE-2026-29187
Severity: High
CVSS Score: 8.1
Type: sql_injection
Status: confirmed
EPSS: 0.2%
Social Posts: 1

CWE

CWE-89

CVSS Metrics

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:N

EPSS Score

0.2%Probability of exploitation in the next 30 days