The flaw is an insufficiently validated input path in the patient selection feature of OpenEMR, producing a classic SQL injection weakness identified as CWE‑89. An attacker who has already authenticated to the OpenEMR instance could inject malicious SQL into the lookup query, potentially using it to read all patient records, alter existing entries, or execute other database commands. The consequence is a breach of patient confidentiality and integrity of health information, with the impact spanning the entire patient database for that installation.

OpenEMR versions up to and including 8.0.0.2 are vulnerable. The vendor released a patch in version 8.0.0.3 that eliminates the flaw. All installations running the vulnerable releases should be updated, and any custom extensions affecting patient lookup should be audited for similar input handling.

The CVSS score of 7.2 classifies the risk as high, while the EPSS score of less than 1 % suggests a low probability of widespread exploitation. The vulnerability is not listed in the CISA KEV catalog, further indicating limited public exploitation. Based on the description, it is inferred that the attacker must first obtain valid credentials and then interact with the patient selection interface, which is typically accessed over the web. Consequently, the attack vector is most likely internal or over a compromised user session, and the required prerequisites include authenticated access and the ability to submit arbitrary query parameters. The combined severity and exploitation conditions point to a significant threat that warrants prompt remediation.