Main Vulnerability Database Vulnerabilities #VU127362

SQL injection in OpenEMR - CVE-2026-33910

Published: April 23, 2026

Vulnerability identifier: #VU127362

CSH Severity: Low

CVSS v4.0: CVSS:4.0/AV:N/AC:L/AT:N/PR:H/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:U/U:Clear

CVE-ID: CVE-2026-33910

CWE-ID: CWE-89

Exploitation vector: Remote access

Exploit availability: No public exploit available

Vendor: OpenEMR

Affected software:
OpenEMR

Detailed vulnerability description

The vulnerability allows a remote user to execute arbitrary SQL commands.

The vulnerability exists due to improper neutralization of special elements used in an SQL command in the patient selection feature when processing database entries from the layout_options table during patient selection queries. A remote privileged user can insert a crafted payload into layout_options.field_id to execute arbitrary SQL commands.

The proof of concept uses /interface/super/edit_layout.php to place the payload before triggering the vulnerable query in getByPatientDemographics in library/patient.inc.php.

How to mitigate CVE-2026-33910

Install security update from vendor's website.

Sources

https://github.com/openemr/openemr/security/advisories/GHSA-x32c-xj5g-7jx7

SQL injection in OpenEMR - CVE-2026-33910

Detailed vulnerability description

How to mitigate CVE-2026-33910

Sources

Please verify you're human