CVE-2026-33914

See a problem?
Please try reporting it to the source first.
Source
https://cve.org/CVERecord?id=CVE-2026-33914
Import Source
https://storage.googleapis.com/cve-osv-conversion/osv-output/CVE-2026-33914.json
JSON Data
https://api.osv.dev/v1/vulns/CVE-2026-33914
Aliases
  • GHSA-rq3v-38x5-3rm5
Published
2026-03-25T23:13:16.057Z
Modified
2026-04-10T05:42:58.567021Z
Severity
  • 7.2 (High) CVSS_V3 - CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H CVSS Calculator
Summary
OpenEMR has SQL Injection in PostCalendar Category Delete
Details

OpenEMR is a free and open source electronic health records and medical practice management application. Prior to version 8.0.0.3, the PostCalendar module contains a blind SQL injection vulnerability in the categoriesUpdate administrative function. The dels POST parameter is read via pnVarCleanFromInput(), which only strips HTML tags and performs no SQL escaping. The value is then interpolated directly into a raw SQL DELETE statement that is executed unsanitized via Doctrine DBAL's executeStatement(). Version 8.0.0.3 patches the issue.

Database specific 
{
    "osv_generated_from": "https://github.com/CVEProject/cvelistV5/tree/main/cves/2026/33xxx/CVE-2026-33914.json",
    "cna_assigner": "GitHub_M",
    "cwe_ids": [
        "CWE-89"
    ]
}
References

Affected packages

Git / github.com/openemr/openemr

Affected ranges

Type
GIT
Repo
https://github.com/openemr/openemr
Events
Introduced
0 Unknown introduced commit / All previous commits are affected
Fixed
7c96c8eefe460d6fadbccbe93d0fa6bf819acd69
Database specific 
{
    "versions": [
        {
            "introduced": "0"
        },
        {
            "fixed": "8.0.0.3"
        }
    ]
}

Affected versions

Other
v2_7_2
v2_7_2-rc1
v2_7_2-rc2
v2_7_3-rc1
v2_8_0
v2_8_1
v2_8_2
v2_8_3
v2_9_0
v3_0_0
v3_0_1
v8_0_0
v8_0_0_1
v8_0_0_2

Database specific

source 
"https://storage.googleapis.com/cve-osv-conversion/osv-output/CVE-2026-33914.json"