CVE-2026-29187
HIGHCVSS Vector
CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:N
Lifecycle Timeline
2Description
OpenEMR is a free and open source electronic health records and medical practice management application. Prior to version 8.0.0.3, a Blind SQL Injection vulnerability exists in the Patient Search functionality (/interface/new/new_search_popup.php). The vulnerability allows an authenticated attacker to execute arbitrary SQL commands by manipulating the HTTP parameter keys rather than the values. Version 8.0.0.3 contains a patch.
Analysis
A Blind SQL Injection vulnerability exists in OpenEMR's Patient Search functionality that allows authenticated attackers to execute arbitrary SQL commands by manipulating HTTP parameter keys instead of values. OpenEMR versions prior to 8.0.0.3 are affected. …
Sign in for full analysis, threat intelligence, and remediation guidance.
Remediation
Within 24 hours: Inventory all OpenEMR deployments and identify versions prior to 8.0.0.3; restrict Patient Search functionality to essential personnel only and audit recent search logs for suspicious activity. Within 7 days: Implement Web Application Firewall (WAF) rules to block SQL injection patterns in HTTP parameter keys; conduct PHI access audit to identify any unauthorized data exposure. …
Sign in for detailed remediation steps.
Priority Score
Share
External POC / Exploit Code
Leaving vuln.today