Description
OpenEMR is a free and open source electronic health records and medical practice management application. Prior to version 8.0.0.3, the PostCalendar module contains a blind SQL injection vulnerability in the `categoriesUpdate` administrative function. The `dels` POST parameter is read via `pnVarCleanFromInput()`, which only strips HTML tags and performs no SQL escaping. The value is then interpolated directly into a raw SQL `DELETE` statement that is executed unsanitized via Doctrine DBAL's `executeStatement()`. Version 8.0.0.3 patches the issue.
Published: 2026-03-25
Score: 7.2 High
EPSS: < 1% Very Low
KEV: No
Impact: Data tampering via blind SQL injection
Action: Patch Now
AI Analysis

Impact

OpenEMR’s PostCalendar module contains a blind SQL injection flaw in the categoriesUpdate administrative function. The function reads the ‘dels’ POST parameter with a routine that only strips HTML tags, then directly inserts the unescaped value into a raw SQL DELETE statement executed by Doctrine DBAL. Because the query is built without any escaping or parameterization, an attacker could inject additional SQL code, corrupting or deleting calendar categories and any related data. The compromised data could include appointment information and other user‑generated records, undermining the integrity of the electronic health record system.

Affected Systems

All OpenEMR installations that use the PostCalendar module and run any version older than 8.0.0.3 are affected. The vulnerability resides in the administrative category update path of the OpenEMR application as shipped by the openemr vendor.

Risk and Exploitability

The CVSS score of 7.2 indicates high severity, while the EPSS score of less than 1% suggests that automated exploitation is currently unlikely. The vulnerability is not listed in the CISA KEV catalog. Based on the description, the likely attack vector requires authenticated administrative access to the PostCalendar module; thus it is considered a targeted threat that can be leveraged by an attacker who obtains or compromises such credentials to delete critical data or disrupt service.

Generated by OpenCVE AI on March 26, 2026 at 20:54 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Upgrade OpenEMR to version 8.0.0.3 or newer

Generated by OpenCVE AI on March 26, 2026 at 20:54 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Thu, 26 Mar 2026 20:15:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'poc', 'Technical Impact': 'total'}, 'version': '2.0.3'}

Thu, 26 Mar 2026 18:45:00 +0000

Type Values Removed Values Added
First Time appeared Open-emr
Open-emr openemr
CPEs cpe:2.3:a:open-emr:openemr:*:*:*:*:*:*:*:*
Vendors & Products Open-emr
Open-emr openemr

Thu, 26 Mar 2026 12:00:00 +0000

Type Values Removed Values Added
First Time appeared Openemr
Openemr openemr
Vendors & Products Openemr
Openemr openemr

Wed, 25 Mar 2026 23:45:00 +0000

Type Values Removed Values Added
References

Wed, 25 Mar 2026 23:30:00 +0000

Type Values Removed Values Added
Description OpenEMR is a free and open source electronic health records and medical practice management application. Prior to version 8.0.0.3, the PostCalendar module contains a blind SQL injection vulnerability in the `categoriesUpdate` administrative function. The `dels` POST parameter is read via `pnVarCleanFromInput()`, which only strips HTML tags and performs no SQL escaping. The value is then interpolated directly into a raw SQL `DELETE` statement that is executed unsanitized via Doctrine DBAL's `executeStatement()`. Version 8.0.0.3 patches the issue.
Title OpenEMR has SQL Injection in PostCalendar Category Delete
Weaknesses CWE-89
References
Metrics cvssV3_1

{'score': 7.2, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H'}

Subscriptions

Open-emr Openemr
Openemr Openemr
cve-icon MITRE

Status: PUBLISHED

Assigner: GitHub_M

Published:

Updated: 2026-03-26T19:52:11.785Z

Reserved: 2026-03-24T15:41:47.492Z

Link: CVE-2026-33914

cve-icon Vulnrichment

Updated: 2026-03-26T19:50:58.257Z

cve-icon NVD

Status : Analyzed

Published: 2026-03-26T00:16:39.137

Modified: 2026-03-26T18:34:17.990

Link: CVE-2026-33914

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-03-27T09:29:24Z

Weaknesses