{"dataType": "CVE_RECORD", "dataVersion": "5.2", "cveMetadata": {"cveId": "CVE-2026-33910", "assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "state": "PUBLISHED", "assignerShortName": "GitHub_M", "dateReserved": "2026-03-24T15:41:47.491Z", "datePublished": "2026-03-25T22:41:02.472Z", "dateUpdated": "2026-03-25T22:41:02.472Z"}, "containers": {"cna": {"title": "OpenEMR has a SQL Injection Vulnerability in patient selection", "problemTypes": [{"descriptions": [{"cweId": "CWE-89", "lang": "en", "description": "CWE-89: Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection')", "type": "CWE"}]}], "metrics": [{"cvssV3_1": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "baseScore": 7.2, "baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "HIGH", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H", "version": "3.1"}}], "references": [{"name": "https://github.com/openemr/openemr/security/advisories/GHSA-x32c-xj5g-7jx7", "tags": ["x_refsource_CONFIRM"], "url": "https://github.com/openemr/openemr/security/advisories/GHSA-x32c-xj5g-7jx7"}, {"name": "https://github.com/openemr/openemr/commit/73db3264aed253684532839380cae3b0a56c83d2", "tags": ["x_refsource_MISC"], "url": "https://github.com/openemr/openemr/commit/73db3264aed253684532839380cae3b0a56c83d2"}, {"name": "https://github.com/openemr/openemr/releases/tag/v8_0_0_3", "tags": ["x_refsource_MISC"], "url": "https://github.com/openemr/openemr/releases/tag/v8_0_0_3"}], "affected": [{"vendor": "openemr", "product": "openemr", "versions": [{"version": "< 8.0.0.3", "status": "affected"}]}], "providerMetadata": {"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "shortName": "GitHub_M", "dateUpdated": "2026-03-25T22:41:02.472Z"}, "descriptions": [{"lang": "en", "value": "OpenEMR is a free and open source electronic health records and medical practice management application. Versions up to and including 8.0.0.2 contain a SQL injection vulnerability in the patient selection feature that can be exploited by authenticated attackers. The vulnerability exists due to insufficient input validation in the patient selection feature. Version 8.0.0.3 contains a patch."}], "source": {"advisory": "GHSA-x32c-xj5g-7jx7", "discovery": "UNKNOWN"}}}}

{}

{"configurations": [{"nodes": [{"cpeMatch": [{"criteria": "cpe:2.3:a:open-emr:openemr:*:*:*:*:*:*:*:*", "matchCriteriaId": "E3E098AF-42A1-4798-85A7-80052F19F809", "versionEndExcluding": "8.0.0.3", "vulnerable": true}], "negate": false, "operator": "OR"}]}], "cveTags": [], "descriptions": [{"lang": "en", "value": "OpenEMR is a free and open source electronic health records and medical practice management application. Versions up to and including 8.0.0.2 contain a SQL injection vulnerability in the patient selection feature that can be exploited by authenticated attackers. The vulnerability exists due to insufficient input validation in the patient selection feature. Version 8.0.0.3 contains a patch."}], "id": "CVE-2026-33910", "lastModified": "2026-03-26T16:19:40.627", "metrics": {"cvssMetricV31": [{"cvssData": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "baseScore": 7.2, "baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "HIGH", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H", "version": "3.1"}, "exploitabilityScore": 1.2, "impactScore": 5.9, "source": "security-advisories@github.com", "type": "Secondary"}, {"cvssData": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "baseScore": 8.8, "baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "LOW", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H", "version": "3.1"}, "exploitabilityScore": 2.8, "impactScore": 5.9, "source": "nvd@nist.gov", "type": "Primary"}]}, "published": "2026-03-25T23:17:10.173", "references": [{"source": "security-advisories@github.com", "tags": ["Patch"], "url": "https://github.com/openemr/openemr/commit/73db3264aed253684532839380cae3b0a56c83d2"}, {"source": "security-advisories@github.com", "tags": ["Product"], "url": "https://github.com/openemr/openemr/releases/tag/v8_0_0_3"}, {"source": "security-advisories@github.com", "tags": ["Exploit", "Vendor Advisory"], "url": "https://github.com/openemr/openemr/security/advisories/GHSA-x32c-xj5g-7jx7"}], "sourceIdentifier": "security-advisories@github.com", "vulnStatus": "Analyzed", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-89"}], "source": "security-advisories@github.com", "type": "Primary"}]}

{}

{"affected": [{"configurations": [{"platform": null, "status": "affected", "versions": {"scheme": "generic", "value": "[0,8.0.0.3)"}}], "enrichment": {"confidence": 100.0, "confidence_source": "matching", "scores": [{"score": 100.0, "source": "matching"}]}, "original": {"product": "openemr", "source": "cna", "vendor": "openemr"}, "product": "openemr", "vendor": "openemr"}], "analysis": {"en": {"generated_at": "2026-03-26T00:55:26.084130+00:00", "value": {"mitigation_remediation": ["Upgrade OpenEMR to version 8.0.0.3 or later", "Verify that the database schema has been updated to the latest release to ensure the patch is effective", "Restrict application access to only authorized users and monitor authentication logs for suspicious activity"], "summary": {"action": "Apply Patch", "impact": "Data Breach"}, "threat_synthesis": {"affected_systems": "The flaw affects versions of OpenEMR up to and including 8.0.0.2. The vendor released a patch in version 8.0.0.3 that corrects the input validation issue.", "description_and_impact": "The vulnerability is a SQL injection flaw in the patient selection interface of OpenEMR. Authenticated users can supply unvalidated input that is inserted directly into database queries, allowing an attacker to read, modify or delete patient records and potentially extract sensitive personal health information.", "risk_and_exploitability": "With a CVSS score of 7.2 the weakness is considered high severity, yet no public exploit is currently documented and the vulnerability is not listed in CISA\u2019s KEV catalog. Exploitation requires an attacker to be authenticated to the application, so the attack vector is inferred to be executable by malicious logged\u2011in users. The risk remains significant for installations using the affected releases."}}}}, "created": "2026-03-26T11:31:17.852197+00:00", "updated": "2026-03-26T12:09:20.995729+00:00", "vendors": ["openemr", "openemr$PRODUCT$openemr"]}