Main Vulnerability Database Vulnerabilities #VU127343

SQL injection in OpenEMR - CVE-2026-33909

Published: April 23, 2026

Vulnerability identifier: #VU127343

CSH Severity: Low

CVSS v4.0: CVSS:4.0/AV:N/AC:L/AT:P/PR:H/UI:N/VC:H/VI:H/VA:N/SC:N/SI:N/SA:N/E:U/U:Clear

CVE-ID: CVE-2026-33909

CWE-ID: CWE-89

Exploitation vector: Remote access

Exploit availability: No public exploit available

Vendor: OpenEMR

Affected software:
OpenEMR

Detailed vulnerability description

The vulnerability allows a remote user to execute arbitrary SQL commands.

The vulnerability exists due to improper neutralization of special elements used in an SQL command in the MedEx recall/reminder processing code when processing MedEx preference values or external MedEx API response data. A remote privileged user can supply crafted input that is concatenated into SQL queries to execute arbitrary SQL commands.

MedEx must be explicitly enabled, and exploitation depends on controlling MedEx preference data or the MedEx API connection.

How to mitigate CVE-2026-33909

Install security update from vendor's website.

Sources

https://github.com/openemr/openemr/security/advisories/GHSA-6vx2-w9hw-prqj

SQL injection in OpenEMR - CVE-2026-33909

Detailed vulnerability description

How to mitigate CVE-2026-33909

Sources

Please verify you're human