CVE-2026-33914

Name of the Vulnerable Software and Affected Versions OpenEMR versions prior to 8.0.0.3

Description OpenEMR is an electronic health records and medical practice management application. Versions prior to 8.0.0.3 contain a blind SQL injection issue within the PostCalendar module. The dels POST parameter is processed by the pnVarCleanFromInput() function, which removes HTML tags but does not perform SQL escaping. This unsanitized value is then directly incorporated into a raw SQL DELETE statement and executed using Doctrine DBAL's executeStatement() function. The vulnerable function is categoriesUpdate.

Recommendations Update to version 8.0.0.3 or later.