anonhaven
Ad

CVE-2026-33909

MEDIUM CVSS 3.1: 5.9 EPSS 0.00%
Updated Mar 26, 2026
Open-Emr
Parameter Value
CVSS 5.9 (MEDIUM)
Affected Versions before 8.0.0.3
Fixed In 8.0.0.3
Type CWE-89 (SQL Injection)
Vendor Open-Emr
Public PoC No

OpenEMR is a free and open source electronic health records and medical practice management application. Prior to version 8.0.0.3, several variables in the MedEx recall/reminder processing code are concatenated directly into SQL queries without parameterization or type casting, enabling SQL injection. Version 8.0.0.3 contains a patch.

Attack Parameters

Attack Vector
Network
Can be exploited remotely
Attack Complexity
High
Difficult to exploit
Privileges Required
High
Admin privileges needed
User Interaction
None
No user interaction needed

Impact Assessment

Confidentiality
High
Complete data leak
Integrity
High
Complete data modification
Availability
None
No disruption

CVSS Vector v3.1

Weakness Type (CWE)

CWE-89 SQL Injection

Vulnerable Products 1

Configuration From (including) Up to (excluding)
Open-Emr Openemr
cpe:2.3:a:open-emr:openemr:*:*:*:*:*:*:*:*
 8.0.0.3

References 3

https://github.com/openemr/openemr/commit/3d11d2fc1622147d4aa6fbca31a471e7402ff…
security-advisories@github.com
https://github.com/openemr/openemr/releases/tag/v8_0_0_3
security-advisories@github.com
https://github.com/openemr/openemr/security/advisories/GHSA-6vx2-w9hw-prqj
security-advisories@github.com
Share Post Share Share Share

Related Vulnerabilities

CVE-2026-34056

Open-Emr

6.5

CVE-2026-34055

Open-Emr

6.3

CVE-2026-34053

Open-Emr

8.1

CVE-2026-34051

Open-Emr

5.4

CVE-2026-33934

Open-Emr

4.3