CVE-2026-33910

HIGH

OpenEMR <=8.0.0.2 Patient Selection - SQL Injection

Title source: manual
STIX 2.1

Exploitation Summary

EIP tracks 1 public exploit for CVE-2026-33910. PoCs published by ChrisSub08.

AI-analyzed exploit summary This repository contains a functional proof-of-concept for CVE-2026-33910, demonstrating a SQL injection vulnerability in OpenEMR 8.0.0.2. The exploit leverages insufficient input validation in the patient selection feature, allowing authenticated attackers to inject malicious SQL code via the `layout_options` table.

Description

OpenEMR is a free and open source electronic health records and medical practice management application. Versions up to and including 8.0.0.2 contain a SQL injection vulnerability in the patient selection feature that can be exploited by authenticated attackers. The vulnerability exists due to insufficient input validation in the patient selection feature. Version 8.0.0.3 contains a patch.

Exploits (1)

nomisec WORKING POC
by ChrisSub08 · poc
https://github.com/ChrisSub08/CVE-2026-33910_SqlInjectionVulnerabilityOpenEMR8.0.0.2

This repository contains a functional proof-of-concept for CVE-2026-33910, demonstrating a SQL injection vulnerability in OpenEMR 8.0.0.2. The exploit leverages insufficient input validation in the patient selection feature, allowing authenticated attackers to inject malicious SQL code via the `layout_options` table.

Classification
Working Poc 95%
Attack Type
Sqli
Complexity
Moderate
Reliability
Reliable
Target: OpenEMR < 8.0.0.3
Auth required
Prerequisites: Authenticated access to OpenEMR · Admin privileges to insert payload into `layout_options` table
devstral-2 · analyzed Apr 09, 2026 Full analysis →

References (3)

Core 3

Scores

CVSS v3 7.2
EPSS 0.0043
EPSS Percentile 33.9%
Attack Vector NETWORK
CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H

CISA SSVC

Vulnrichment
Exploitation poc
Automatable no
Technical Impact total

Details

CWE
CWE-89
Status published
Products (2)
open-emr/openemr < 8.0.0.3
openemr/openemr < 8.0.0.3
Published Mar 25, 2026
Tracked Since Mar 26, 2026