What is the CVSS score of CVE-2026-33910?

CVE-2026-33910 has a CVSS 3.1 base score of 7.2 (High). CVSS vector: CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H. EPSS exploitation probability: 0.0%.

Which versions of Openemr are affected by CVE-2026-33910?

OpenEMR installations (versions up to 8.0.0.2) face a high-risk SQL injection vulnerability that could allow privileged insiders to breach patient database confidentiality and integrity.

How to fix or mitigate CVE-2026-33910?

Within 24 hours: Identify all OpenEMR instances and their versions; restrict database account privileges to least-privilege principles; enable database query logging and monitoring. Within 7 days: Implement WAF rules to block SQL injection patterns in patient selection requests; conduct access review of high-privilege accounts; document all compensating controls. Within 30 days: Contact OpenEMR vendor for patch ETA; evaluate network segmentation options to isolate OpenEMR; consider temporary restriction of patient selection feature to essential personnel only until patch availability.

Openemr CVE-2026-33910

HIGH

SQL Injection (CWE-89)

2026-03-25 GitHub_M

SQLi Openemr

7.2

CVSS 3.1 · GitHub Advisory

Severity by source

GitHub Advisory PRIMARY

7.2 HIGH

AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H

Primary rating from GitHub Advisory · only source for this CVE.

CVSS VectorGitHub Advisory

CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H

Attack Vector

Network

Attack Complexity

Low

Privileges Required

High

User Interaction

None

Scope

Unchanged

Confidentiality

High

Integrity

High

Availability

High

Lifecycle Timeline

Analysis Generated

Mar 25, 2026 - 23:02 vuln.today

CVE Published

Mar 25, 2026 - 22:41 nvd

HIGH 7.2

DescriptionGitHub Advisory

OpenEMR is a free and open source electronic health records and medical practice management application. Versions up to and including 8.0.0.2 contain a SQL injection vulnerability in the patient selection feature that can be exploited by authenticated attackers. The vulnerability exists due to insufficient input validation in the patient selection feature. Version 8.0.0.3 contains a patch.

AnalysisAI

OpenEMR versions up to and including 8.0.0.2 contain a SQL injection vulnerability in the patient selection feature that allows authenticated attackers with high privileges to execute arbitrary SQL commands. The vulnerability stems from insufficient input validation and can lead to complete compromise of confidentiality, integrity, and availability of the healthcare database. …

Unlock full vulnerability intelligence

Risk assessment & exploitation conditions
Attack chain visualization
Remediation with exact patch versions
Threat intelligence from 22 sources
Personal watchlist & email alerts

Continue with Google Continue with GitHub

Free forever · No credit card required

Attack ChainAIDerived

Hypothetical attack flow derived from CVE metadata

Access

Authenticate as high-privilege user

Delivery

Access patient selection feature

Exploit

Inject SQL payload into input field

Execution

Execute unauthorized database queries

Impact

Extract sensitive patient records

Access

Authenticate as high-privilege user

Delivery

Access patient selection feature

Exploit

Inject SQL payload into input field

Execution

Execute unauthorized database queries

Impact

Extract sensitive patient records

Vulnerability AssessmentAI

Exploitation	Authenticated attacker with high-privilege access (administrator or provider role) to OpenEMR versions up to 8.0.0.2. … Additional conditions and limiting factors are described in the full assessment.
Risk Assessment	The CVSS v3.1 score of 7.2 (High) reflects significant impact across confidentiality, integrity, and availability (all rated High), but the risk is substantially mitigated by requiring high privileges (PR:H) and authenticated access. … Full risk analysis with EPSS, KEV, and SSVC signal comparison available after sign-in.
Exploit Scenario	An authenticated attacker with high-level privileges (such as a compromised administrator account or malicious insider) accesses the patient selection feature in OpenEMR and injects malicious SQL commands through insufficient input validation points. The attacker crafts SQL payloads to extract sensitive patient health information including diagnoses, medications, and personal identifiable information, or modifies medical records to alter treatment histories. …
Remediation	Upgrade OpenEMR to version 8.0.0.3 or later, which contains a security patch that addresses the SQL injection vulnerability as documented in the release notes at https://github.com/openemr/openemr/releases/tag/v8_0_0_3. … Detailed patch versions, workarounds, and compensating controls in full report.

Recommended ActionAI

Within 24 hours: Identify all OpenEMR instances and their versions; restrict database account privileges to least-privilege principles; enable database query logging and monitoring. …

Threat intelligence, references, and detailed analysis are available after sign-in.

CVE-2026-33910 vulnerability details – vuln.today

Back

Openemr CVE-2026-33910

Severity by source

CVSS VectorGitHub Advisory

Lifecycle Timeline

DescriptionGitHub Advisory

AnalysisAI

Unlock full vulnerability intelligence

Attack ChainAIDerived

Vulnerability AssessmentAI

Recommended ActionAI

Share

External POC / Exploit Code