{"dataType": "CVE_RECORD", "dataVersion": "5.2", "cveMetadata": {"cveId": "CVE-2026-33914", "assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "state": "PUBLISHED", "assignerShortName": "GitHub_M", "dateReserved": "2026-03-24T15:41:47.492Z", "datePublished": "2026-03-25T23:13:16.057Z", "dateUpdated": "2026-03-26T19:52:11.785Z"}, "containers": {"cna": {"title": "OpenEMR has SQL Injection in PostCalendar Category Delete", "problemTypes": [{"descriptions": [{"cweId": "CWE-89", "lang": "en", "description": "CWE-89: Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection')", "type": "CWE"}]}], "metrics": [{"cvssV3_1": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "baseScore": 7.2, "baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "HIGH", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H", "version": "3.1"}}], "references": [{"name": "https://github.com/openemr/openemr/security/advisories/GHSA-rq3v-38x5-3rm5", "tags": ["x_refsource_CONFIRM"], "url": "https://github.com/openemr/openemr/security/advisories/GHSA-rq3v-38x5-3rm5"}, {"name": "https://github.com/openemr/openemr/commit/1b851fc9af84f181ad7a84210a168d0d568cd442", "tags": ["x_refsource_MISC"], "url": "https://github.com/openemr/openemr/commit/1b851fc9af84f181ad7a84210a168d0d568cd442"}, {"name": "https://github.com/openemr/openemr/releases/tag/v8_0_0_3", "tags": ["x_refsource_MISC"], "url": "https://github.com/openemr/openemr/releases/tag/v8_0_0_3"}], "affected": [{"vendor": "openemr", "product": "openemr", "versions": [{"version": "< 8.0.0.3", "status": "affected"}]}], "providerMetadata": {"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "shortName": "GitHub_M", "dateUpdated": "2026-03-25T23:30:09.903Z"}, "descriptions": [{"lang": "en", "value": "OpenEMR is a free and open source electronic health records and medical practice management application. Prior to version 8.0.0.3, the PostCalendar module contains a blind SQL injection vulnerability in the `categoriesUpdate` administrative function. The `dels` POST parameter is read via `pnVarCleanFromInput()`, which only strips HTML tags and performs no SQL escaping. The value is then interpolated directly into a raw SQL `DELETE` statement that is executed unsanitized via Doctrine DBAL's `executeStatement()`. Version 8.0.0.3 patches the issue."}], "source": {"advisory": "GHSA-rq3v-38x5-3rm5", "discovery": "UNKNOWN"}}, "adp": [{"metrics": [{"other": {"type": "ssvc", "content": {"id": "CVE-2026-33914", "role": "CISA Coordinator", "options": [{"Exploitation": "poc"}, {"Automatable": "no"}, {"Technical Impact": "total"}], "version": "2.0.3", "timestamp": "2026-03-26T19:37:14.925379Z"}}}], "title": "CISA ADP Vulnrichment", "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2026-03-26T19:52:11.785Z"}}]}}

{}

{"configurations": [{"nodes": [{"cpeMatch": [{"criteria": "cpe:2.3:a:open-emr:openemr:*:*:*:*:*:*:*:*", "matchCriteriaId": "E3E098AF-42A1-4798-85A7-80052F19F809", "versionEndExcluding": "8.0.0.3", "vulnerable": true}], "negate": false, "operator": "OR"}]}], "cveTags": [], "descriptions": [{"lang": "en", "value": "OpenEMR is a free and open source electronic health records and medical practice management application. Prior to version 8.0.0.3, the PostCalendar module contains a blind SQL injection vulnerability in the `categoriesUpdate` administrative function. The `dels` POST parameter is read via `pnVarCleanFromInput()`, which only strips HTML tags and performs no SQL escaping. The value is then interpolated directly into a raw SQL `DELETE` statement that is executed unsanitized via Doctrine DBAL's `executeStatement()`. Version 8.0.0.3 patches the issue."}, {"lang": "es", "value": "OpenEMR es una aplicaci\u00f3n de gesti\u00f3n de registros de salud electr\u00f3nicos y pr\u00e1ctica m\u00e9dica gratuita y de c\u00f3digo abierto. Antes de la versi\u00f3n 8.0.0.3, el m\u00f3dulo PostCalendar contiene una vulnerabilidad de inyecci\u00f3n SQL ciega en la funci\u00f3n administrativa 'categoriesUpdate'. El par\u00e1metro POST 'dels' se lee a trav\u00e9s de 'pnVarCleanFromInput()', que solo elimina etiquetas HTML y no realiza ning\u00fan escape SQL. El valor se interpola directamente en una sentencia SQL 'DELETE' sin procesar que se ejecuta sin sanitizar a trav\u00e9s de 'executeStatement()' de Doctrine DBAL. La versi\u00f3n 8.0.0.3 corrige el problema."}], "id": "CVE-2026-33914", "lastModified": "2026-03-26T18:34:17.990", "metrics": {"cvssMetricV31": [{"cvssData": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "baseScore": 7.2, "baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "HIGH", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H", "version": "3.1"}, "exploitabilityScore": 1.2, "impactScore": 5.9, "source": "security-advisories@github.com", "type": "Secondary"}]}, "published": "2026-03-26T00:16:39.137", "references": [{"source": "security-advisories@github.com", "tags": ["Patch"], "url": "https://github.com/openemr/openemr/commit/1b851fc9af84f181ad7a84210a168d0d568cd442"}, {"source": "security-advisories@github.com", "tags": ["Product", "Release Notes"], "url": "https://github.com/openemr/openemr/releases/tag/v8_0_0_3"}, {"source": "security-advisories@github.com", "tags": ["Exploit", "Mitigation", "Vendor Advisory"], "url": "https://github.com/openemr/openemr/security/advisories/GHSA-rq3v-38x5-3rm5"}], "sourceIdentifier": "security-advisories@github.com", "vulnStatus": "Analyzed", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-89"}], "source": "security-advisories@github.com", "type": "Primary"}]}

{}

{"affected": [{"configurations": [{"platform": null, "status": "affected", "versions": {"scheme": "generic", "value": "[0,8.0.0.3)"}}], "enrichment": {"confidence": 100.0, "confidence_source": "matching", "scores": [{"score": 100.0, "source": "matching"}]}, "original": {"product": "openemr", "source": "cna", "vendor": "openemr"}, "product": "openemr", "vendor": "openemr"}], "analysis": {"en": {"generated_at": "2026-03-26T03:15:40.485456+00:00", "value": {"mitigation_remediation": ["Upgrade OpenEMR to version 8.0.0.3 or later to apply the vendor patch.", "If an upgrade cannot be performed immediately, disable or remove the PostCalendar module to eliminate the vulnerable endpoint.", "Restrict access to the categoriesUpdate function to trusted administrators and enforce stricter input validation or parameterized queries if custom code changes are made."], "summary": {"action": "Apply Patch", "impact": "SQL Injection allowing deletion of scheduling data in OpenEMR's PostCalendar module"}, "threat_synthesis": {"affected_systems": "All OpenEMR installations using the PostCalendar module prior to version 8.0.0.3 are vulnerable. The affected product is OpenEMR, and the issue specifically impacts users who have the categoriesUpdate administrative endpoint enabled.", "description_and_impact": "The flaw is a blind SQL injection in the PostCalendar module\u2019s categoriesUpdate function. The dels POST parameter is taken, stripped only of HTML tags, and then directly concatenated into a raw DELETE statement that is executed by Doctrine DBAL. An attacker who can supply a crafted value can cause arbitrary categories to be deleted or execute other SQL statements, thereby disrupting appointment records and potentially exposing sensitive data. This weakness is identified as CWE-89.", "risk_and_exploitability": "The CVSS v3.1 score of 7.2 classifies this flaw as high severity. No EPSS data is available and the vulnerability is not listed in CISA\u2019s KEV catalog, indicating that public exploits have not yet been reported. The likely attack vector requires authenticated administrator access to the PostCalendar interface; this inference is based on the fact that categoriesUpdate is part of the administrative functionality. If an attacker gains such privileges, the blind SQL injection could lead to deletion, modification, or exfiltration of sensitive scheduling information."}}}}, "created": "2026-03-26T11:31:14.029715+00:00", "updated": "2026-03-26T12:09:17.073922+00:00", "vendors": ["openemr", "openemr$PRODUCT$openemr"]}