CVE-2026-29187

HIGH

OpenEMR Vulnerable to Authenticated Blind Boolean-Based SQL Injection in new_search_popup.php

Title source: cna

Exploitation Summary

EIP tracks 1 public exploit for CVE-2026-29187. PoCs published by ChrisSub08.

AI-analyzed exploit summary The repository contains a functional SQL injection exploit for CVE-2026-29187 in OpenEMR 7.0.4, demonstrating how user-supplied input in the new search popup functionality is directly concatenated into SQL queries without proper sanitization. The PoC includes curl commands and SQL payloads that trigger the vulnerability.

Description

OpenEMR is a free and open source electronic health records and medical practice management application. Prior to version 8.0.0.3, a Blind SQL Injection vulnerability exists in the Patient Search functionality (/interface/new/new_search_popup.php). The vulnerability allows an authenticated attacker to execute arbitrary SQL commands by manipulating the HTTP parameter keys rather than the values. Version 8.0.0.3 contains a patch.

Exploits (1)

nomisec WORKING POC

by ChrisSub08 · poc

https://github.com/ChrisSub08/CVE-2026-29187_SqlInjectionVulnerabilityOpenEMR7.0.4

View Code ZIP pw:eip

The repository contains a functional SQL injection exploit for CVE-2026-29187 in OpenEMR 7.0.4, demonstrating how user-supplied input in the new search popup functionality is directly concatenated into SQL queries without proper sanitization. The PoC includes curl commands and SQL payloads that trigger the vulnerability.

Classification

Working Poc 95%

Attack Type

Sqli

Complexity

Moderate

Reliability

Reliable

Target: OpenEMR <8.0.0.3

Auth required

Prerequisites: Authenticated access to OpenEMR

MITRE ATT&CK

T1190 - Exploit Public-Facing Application T1059 - Command and Scripting Interpreter

devstral-2 · analyzed Apr 09, 2026 Full analysis →

References (3)

Core 3

Core References

X_Refsource_Confirm x_refsource_confirm

https://github.com/openemr/openemr/security/advisories/GHSA-2r7h-xm8v-m872

X_Refsource_Misc x_refsource_misc

https://github.com/openemr/openemr/commit/c61887aa7c83e83b3282db05246f1c00de3aa21d

View Writeup ZIP pw:eip

X_Refsource_Misc x_refsource_misc

https://github.com/openemr/openemr/releases/tag/v8_0_0_3

Scores

CVSS v3 8.1

EPSS 0.0047

EPSS Percentile 37.1%

Attack Vector NETWORK

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:N

CISA SSVC

Vulnrichment

Exploitation none

Automatable no

Technical Impact total

Details

CWE

CWE-89

Status published

Products (2)

open-emr/openemr < 8.0.0.3

openemr/openemr < 8.0.0.3

Published Mar 25, 2026

Tracked Since Mar 26, 2026