CVE-2026-33917
HIGHCVSS Vector
CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
Lifecycle Timeline
2Description
OpenEMR is a free and open source electronic health records and medical practice management application. Versions prior to 8.0.0.3 contais a SQL injection vulnerability in the ajax_save CAMOS form that can be exploited by authenticated attackers. The vulnerability exists due to insufficient input validation in the ajax_save page in the CAMOS form. Version 8.0.0.3 patches the issue.
Analysis
SQL injection in OpenEMR versions prior to 8.0.0.3 enables authenticated attackers to execute arbitrary SQL commands through the CAMOS form's ajax_save functionality, potentially leading to complete database compromise including extraction of sensitive health records, data modification, and service disruption. The vulnerability requires low-privilege authentication (PR:L) with no user interaction (UI:N) and is network-exploitable (AV:N), though EPSS assigns only 0.03% (8th percentile) exploitation probability and no public exploit identified at time of analysis. …
Sign in for full analysis, threat intelligence, and remediation guidance.
Remediation
Within 24 hours: inventory all OpenEMR instances and confirm running versions; identify systems below 8.0.0.3 and restrict CAMOS form access to administrative users only pending patching. Within 7 days: apply vendor patch to upgrade all affected OpenEMR instances to version 8.0.0.3 or later; validate patches in non-production environments first. …
Sign in for detailed remediation steps.
Priority Score
Share
External POC / Exploit Code
Leaving vuln.today