Main Vulnerability Database Vulnerabilities #VU127354

SQL injection in OpenEMR - CVE-2026-33914

Published: April 23, 2026

Vulnerability identifier: #VU127354

CSH Severity: Low

CVSS v4.0: CVSS:4.0/AV:N/AC:L/AT:N/PR:H/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:U/U:Clear

CVE-ID: CVE-2026-33914

CWE-ID: CWE-89

Exploitation vector: Remote access

Exploit availability: No public exploit available

Vendor: OpenEMR

Affected software:
OpenEMR

Detailed vulnerability description

The vulnerability allows a remote user to execute arbitrary SQL commands.

The vulnerability exists due to improper neutralization of special elements used in an SQL command in the PostCalendar categoriesUpdate administrative function when handling the dels POST parameter. A remote privileged user can send a specially crafted POST parameter to execute arbitrary SQL commands.

The issue is blind and supports time-based data extraction.

How to mitigate CVE-2026-33914

Install security update from vendor's website.

Sources

https://github.com/openemr/openemr/security/advisories/GHSA-rq3v-38x5-3rm5

SQL injection in OpenEMR - CVE-2026-33914

Detailed vulnerability description

How to mitigate CVE-2026-33914

Sources

Please verify you're human