CVE-2026-33914
Published: 26 March 2026
Summary
CVE-2026-33914 is a high-severity SQL Injection (CWE-89) vulnerability in Open-Emr Openemr. Its CVSS base score is 7.2 (High).
Operationally, exploitation aligns with the MITRE ATT&CK technique Exploit Public-Facing Application (T1190); ranked at the 0.1th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog; a public proof-of-concept is referenced.
The strongest mitigations our analysis identified are NIST 800-53 RA-5 (Vulnerability Monitoring and Scanning) and SI-10 (Information Input Validation).
Threat & Defense at a Glance
Threat & Defense Details
Mitigating Controls (NIST 800-53 r5)AI
SI-10 mandates validation of inputs like the unsanitized 'dels' POST parameter to directly prevent SQL injection in the categoriesUpdate function.
SI-2 requires timely flaw remediation, such as patching OpenEMR to version 8.0.0.3, to eliminate the SQL injection vulnerability.
RA-5 enables vulnerability scanning to identify SQL injection flaws like CVE-2026-33914 in the PostCalendar module prior to exploitation.
MITRE ATT&CK Enterprise TechniquesAI
Why these techniques?
Blind SQL injection in a network-accessible web app admin function (categoriesUpdate) directly enables exploitation of the application to achieve arbitrary SQL execution with high impact on confidentiality/integrity/availability.
NVD Description
OpenEMR is a free and open source electronic health records and medical practice management application. Prior to version 8.0.0.3, the PostCalendar module contains a blind SQL injection vulnerability in the `categoriesUpdate` administrative function. The `dels` POST parameter is read via…
more
`pnVarCleanFromInput()`, which only strips HTML tags and performs no SQL escaping. The value is then interpolated directly into a raw SQL `DELETE` statement that is executed unsanitized via Doctrine DBAL's `executeStatement()`. Version 8.0.0.3 patches the issue.
Deeper analysisAI
CVE-2026-33914 is a blind SQL injection vulnerability in the PostCalendar module of OpenEMR, a free and open source electronic health records and medical practice management application. The issue affects versions prior to 8.0.0.3 and resides in the `categoriesUpdate` administrative function, where the `dels` POST parameter is processed via `pnVarCleanFromInput()`. This function only strips HTML tags without performing SQL escaping, allowing the unsanitized value to be directly interpolated into a raw SQL `DELETE` statement executed through Doctrine DBAL's `executeStatement()` method. The vulnerability is classified under CWE-89 with a CVSS v3.1 base score of 7.2 (AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H).
Exploitation requires network access and high privileges (PR:H), typically administrative access to the affected OpenEMR instance. An attacker can submit a crafted `dels` POST parameter to the `categoriesUpdate` endpoint, triggering blind SQL injection in the DELETE query. This enables arbitrary SQL execution, potentially leading to high-impact confidentiality breaches (e.g., data exfiltration via blind techniques), integrity violations (e.g., unauthorized deletions or modifications), and availability disruptions (e.g., denial of service through destructive queries).
The vulnerability is patched in OpenEMR version 8.0.0.3, as detailed in the project's security advisory (GHSA-rq3v-38x5-3rm5), release notes, and the fixing commit. Security practitioners should upgrade to 8.0.0.3 or later and review access controls for administrative functions in the PostCalendar module to mitigate risks until patching is complete.
Details
- CWE(s)