Home / Vulnerability Intelligence / CVE-2026-33914

CVE-2026-33914 - Vulnerability Analysis

HighCVSS: 7.2

Last Updated: March 26, 2026

OpenEMR - SQL Injection

Published: March 26, 2026Updated: March 26, 2026PoC AvailableRemote Exploitable

Overview

OpenEMR < 8.0.0.3 contains a blind SQL injection caused by unsanitized 'dels' POST parameter in PostCalendar module's categoriesUpdate function, letting attackers execute arbitrary SQL commands remotely, exploit requires administrative access.

Severity & Score

Severity: High

CVSS Score: 7.2

Impact

Attackers with administrative access can execute arbitrary SQL commands, potentially leading to data compromise or system manipulation.

Mitigation

Upgrade to version 8.0.0.3 or later.

References

https://github.com/openemr/openemr/commit/1b851fc9af84f181ad7a84210a168d0d568cd442
https://github.com/openemr/openemr/releases/tag/v8_0_0_3
https://github.com/openemr/openemr/security/advisories/GHSA-rq3v-38x5-3rm5

Related Resources

Vulnerability Intelligence Dashboard
Credential Scanner

Details

CVE ID: CVE-2026-33914
Severity: High
CVSS Score: 7.2
Type: sql_injection
Status: confirmed

CWE

CWE-89

CVSS Metrics

CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H