What is the CVSS score of CVE-2026-33914?

CVE-2026-33914 has a CVSS 3.1 base score of 7.2 (High). CVSS vector: CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H. EPSS exploitation probability: 0.0%.

Which versions of Openemr are affected by CVE-2026-33914?

OpenEMR installations running versions prior to 8.0.0.3 contain a SQL injection vulnerability in the PostCalendar module that could allow compromised administrator accounts to extract or modify…

How to fix or mitigate CVE-2026-33914?

Within 24 hours: Identify all OpenEMR instances and their versions; restrict administrative access to PostCalendar module functionality; review recent administrator account activity logs for suspicious SQL-like activity. Within 7 days: Implement compensating controls (WAF rules blocking SQL injection patterns in the dels parameter, network segmentation limiting admin access); coordinate with vendor for patch timeline. Within 30 days: Upgrade to OpenEMR 8.0.0.3 or later once available; conduct full audit of patient data access and integrity; implement privileged access management (PAM) for administrator accounts.

Openemr CVE-2026-33914

HIGH

SQL Injection (CWE-89)

2026-03-25 GitHub_M

SQLi Openemr

7.2

CVSS 3.1 · GitHub Advisory

Severity by source

GitHub Advisory PRIMARY

7.2 HIGH

AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H

Primary rating from GitHub Advisory · only source for this CVE.

CVSS VectorGitHub Advisory

CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H

Attack Vector

Network

Attack Complexity

Low

Privileges Required

High

User Interaction

None

Scope

Unchanged

Confidentiality

High

Integrity

High

Availability

High

Lifecycle Timeline

Analysis Generated

Mar 25, 2026 - 23:32 vuln.today

CVE Published

Mar 25, 2026 - 23:13 nvd

HIGH 7.2

DescriptionGitHub Advisory

OpenEMR is a free and open source electronic health records and medical practice management application. Prior to version 8.0.0.3, the PostCalendar module contains a blind SQL injection vulnerability in the categoriesUpdate administrative function. The dels POST parameter is read via pnVarCleanFromInput(), which only strips HTML tags and performs no SQL escaping. The value is then interpolated directly into a raw SQL DELETE statement that is executed unsanitized via Doctrine DBAL's executeStatement(). Version 8.0.0.3 patches the issue.

AnalysisAI

A blind SQL injection vulnerability exists in the PostCalendar module of OpenEMR, a widely-used open source electronic health records system. Versions prior to 8.0.0.3 are affected, allowing authenticated administrators to execute arbitrary SQL commands through the categoriesUpdate function's dels parameter. …

Unlock full vulnerability intelligence

Risk assessment & exploitation conditions
Attack chain visualization
Remediation with exact patch versions
Threat intelligence from 22 sources
Personal watchlist & email alerts

Continue with Google Continue with GitHub

Free forever · No credit card required

Attack ChainAIDerived

Hypothetical attack flow derived from CVE metadata

Access

Authenticate as admin user

Delivery

Access PostCalendar categoriesUpdate function

Exploit

Inject SQL in dels parameter

Execution

Execute arbitrary database commands

Impact

Exfiltrate or modify health records

Access

Authenticate as admin user

Delivery

Access PostCalendar categoriesUpdate function

Exploit

Inject SQL in dels parameter

Execution

Execute arbitrary database commands

Impact

Exfiltrate or modify health records

Vulnerability AssessmentAI

Exploitation	Requires authenticated access as OpenEMR administrator. … Additional conditions and limiting factors are described in the full assessment.
Risk Assessment	The CVSS score of 7.2 (High) reflects the potential for complete compromise of confidentiality, integrity, and availability, but this is tempered by the PR:H (high privileges required) constraint, meaning only authenticated administrators can exploit it. … Full risk analysis with EPSS, KEV, and SSVC signal comparison available after sign-in.
Exploit Scenario	An attacker who has compromised an OpenEMR administrator account (through phishing, credential stuffing, or insider access) navigates to the PostCalendar categoriesUpdate administrative function and crafts a malicious POST request with a SQL injection payload in the dels parameter. Because the input is only HTML-sanitized but not SQL-escaped, the attacker can inject blind SQL commands to extract sensitive patient health records, authentication credentials, or other database contents through time-based or boolean-based blind SQL injection techniques. …
Remediation	Upgrade OpenEMR to version 8.0.0.3 or later, which contains the patch addressing this SQL injection vulnerability as documented in commit 1b851fc9af84f181ad7a84210a168d0d568cd442 available at https://github.com/openemr/openemr/commit/1b851fc9af84f181ad7a84210a168d0d568cd442. … Detailed patch versions, workarounds, and compensating controls in full report.

Recommended ActionAI

Within 24 hours: Identify all OpenEMR instances and their versions; restrict administrative access to PostCalendar module functionality; review recent administrator account activity logs for suspicious SQL-like activity. …

Threat intelligence, references, and detailed analysis are available after sign-in.

CVE-2026-33914 vulnerability details – vuln.today

Back

Openemr CVE-2026-33914

Severity by source

CVSS VectorGitHub Advisory

Lifecycle Timeline

DescriptionGitHub Advisory

AnalysisAI

Unlock full vulnerability intelligence

Attack ChainAIDerived

Vulnerability AssessmentAI

Recommended ActionAI

Share

External POC / Exploit Code