CVE-2026-33909
MEDIUMOpenEMR Vulnerable to SQL Injection via Unsanitized Variables in MedEx Recall/Reminder Processing
Title source: cnaDescription
OpenEMR is a free and open source electronic health records and medical practice management application. Prior to version 8.0.0.3, several variables in the MedEx recall/reminder processing code are concatenated directly into SQL queries without parameterization or type casting, enabling SQL injection. Version 8.0.0.3 contains a patch.
References (3)
Core 3
Core References
X_Refsource_Confirm x_refsource_confirm
https://github.com/openemr/openemr/security/advisories/GHSA-6vx2-w9hw-prqj
X_Refsource_Misc x_refsource_misc
https://github.com/openemr/openemr/commit/3d11d2fc1622147d4aa6fbca31a471e7402ffc65
X_Refsource_Misc x_refsource_misc
https://github.com/openemr/openemr/releases/tag/v8_0_0_3
Scores
CVSS v3
5.9
EPSS
0.0033
EPSS Percentile
24.6%
Attack Vector
NETWORK
CVSS:3.1/AV:N/AC:H/PR:H/UI:N/S:U/C:H/I:H/A:N
CISA SSVC
Vulnrichment
Exploitation
none
Automatable
no
Technical Impact
total
Details
CWE
CWE-89
Status
published
Products (2)
open-emr/openemr
< 8.0.0.3
openemr/openemr
< 8.0.0.3
Published
Mar 25, 2026
Tracked Since
Mar 26, 2026