{"dataType": "CVE_RECORD", "dataVersion": "5.2", "cveMetadata": {"cveId": "CVE-2026-33914", "assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "state": "PUBLISHED", "assignerShortName": "GitHub_M", "dateReserved": "2026-03-24T15:41:47.492Z", "datePublished": "2026-03-25T23:13:16.057Z", "dateUpdated": "2026-03-26T19:52:11.785Z"}, "containers": {"cna": {"title": "OpenEMR has SQL Injection in PostCalendar Category Delete", "problemTypes": [{"descriptions": [{"cweId": "CWE-89", "lang": "en", "description": "CWE-89: Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection')", "type": "CWE"}]}], "metrics": [{"cvssV3_1": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "baseScore": 7.2, "baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "HIGH", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H", "version": "3.1"}}], "references": [{"name": "https://github.com/openemr/openemr/security/advisories/GHSA-rq3v-38x5-3rm5", "tags": ["x_refsource_CONFIRM"], "url": "https://github.com/openemr/openemr/security/advisories/GHSA-rq3v-38x5-3rm5"}, {"name": "https://github.com/openemr/openemr/commit/1b851fc9af84f181ad7a84210a168d0d568cd442", "tags": ["x_refsource_MISC"], "url": "https://github.com/openemr/openemr/commit/1b851fc9af84f181ad7a84210a168d0d568cd442"}, {"name": "https://github.com/openemr/openemr/releases/tag/v8_0_0_3", "tags": ["x_refsource_MISC"], "url": "https://github.com/openemr/openemr/releases/tag/v8_0_0_3"}], "affected": [{"vendor": "openemr", "product": "openemr", "versions": [{"version": "< 8.0.0.3", "status": "affected"}]}], "providerMetadata": {"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "shortName": "GitHub_M", "dateUpdated": "2026-03-25T23:30:09.903Z"}, "descriptions": [{"lang": "en", "value": "OpenEMR is a free and open source electronic health records and medical practice management application. Prior to version 8.0.0.3, the PostCalendar module contains a blind SQL injection vulnerability in the `categoriesUpdate` administrative function. The `dels` POST parameter is read via `pnVarCleanFromInput()`, which only strips HTML tags and performs no SQL escaping. The value is then interpolated directly into a raw SQL `DELETE` statement that is executed unsanitized via Doctrine DBAL's `executeStatement()`. Version 8.0.0.3 patches the issue."}], "source": {"advisory": "GHSA-rq3v-38x5-3rm5", "discovery": "UNKNOWN"}}, "adp": [{"metrics": [{"other": {"type": "ssvc", "content": {"id": "CVE-2026-33914", "role": "CISA Coordinator", "options": [{"Exploitation": "poc"}, {"Automatable": "no"}, {"Technical Impact": "total"}], "version": "2.0.3", "timestamp": "2026-03-26T19:37:14.925379Z"}}}], "title": "CISA ADP Vulnrichment", "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2026-03-26T19:52:11.785Z"}}]}}

{"dataType": "CVE_RECORD", "containers": {"adp": [{"title": "CISA ADP Vulnrichment", "metrics": [{"other": {"type": "ssvc", "content": {"id": "CVE-2026-33914", "role": "CISA Coordinator", "options": [{"Exploitation": "poc"}, {"Automatable": "no"}, {"Technical Impact": "total"}], "version": "2.0.3", "timestamp": "2026-03-26T19:37:14.925379Z"}}}], "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2026-03-26T19:50:58.257Z"}}], "cna": {"title": "OpenEMR has SQL Injection in PostCalendar Category Delete", "source": {"advisory": "GHSA-rq3v-38x5-3rm5", "discovery": "UNKNOWN"}, "metrics": [{"cvssV3_1": {"scope": "UNCHANGED", "version": "3.1", "baseScore": 7.2, "attackVector": "NETWORK", "baseSeverity": "HIGH", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H", "integrityImpact": "HIGH", "userInteraction": "NONE", "attackComplexity": "LOW", "availabilityImpact": "HIGH", "privilegesRequired": "HIGH", "confidentialityImpact": "HIGH"}}], "affected": [{"vendor": "openemr", "product": "openemr", "versions": [{"status": "affected", "version": "< 8.0.0.3"}]}], "references": [{"url": "https://github.com/openemr/openemr/security/advisories/GHSA-rq3v-38x5-3rm5", "name": "https://github.com/openemr/openemr/security/advisories/GHSA-rq3v-38x5-3rm5", "tags": ["x_refsource_CONFIRM"]}, {"url": "https://github.com/openemr/openemr/commit/1b851fc9af84f181ad7a84210a168d0d568cd442", "name": "https://github.com/openemr/openemr/commit/1b851fc9af84f181ad7a84210a168d0d568cd442", "tags": ["x_refsource_MISC"]}, {"url": "https://github.com/openemr/openemr/releases/tag/v8_0_0_3", "name": "https://github.com/openemr/openemr/releases/tag/v8_0_0_3", "tags": ["x_refsource_MISC"]}], "descriptions": [{"lang": "en", "value": "OpenEMR is a free and open source electronic health records and medical practice management application. Prior to version 8.0.0.3, the PostCalendar module contains a blind SQL injection vulnerability in the `categoriesUpdate` administrative function. The `dels` POST parameter is read via `pnVarCleanFromInput()`, which only strips HTML tags and performs no SQL escaping. The value is then interpolated directly into a raw SQL `DELETE` statement that is executed unsanitized via Doctrine DBAL's `executeStatement()`. Version 8.0.0.3 patches the issue."}], "problemTypes": [{"descriptions": [{"lang": "en", "type": "CWE", "cweId": "CWE-89", "description": "CWE-89: Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection')"}]}], "providerMetadata": {"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "shortName": "GitHub_M", "dateUpdated": "2026-03-25T23:30:09.903Z"}}}, "cveMetadata": {"cveId": "CVE-2026-33914", "state": "PUBLISHED", "dateUpdated": "2026-03-26T19:52:11.785Z", "dateReserved": "2026-03-24T15:41:47.492Z", "assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "datePublished": "2026-03-25T23:13:16.057Z", "assignerShortName": "GitHub_M"}, "dataVersion": "5.2"}

{"configurations": [{"nodes": [{"cpeMatch": [{"criteria": "cpe:2.3:a:open-emr:openemr:*:*:*:*:*:*:*:*", "matchCriteriaId": "E3E098AF-42A1-4798-85A7-80052F19F809", "versionEndExcluding": "8.0.0.3", "vulnerable": true}], "negate": false, "operator": "OR"}]}], "cveTags": [], "descriptions": [{"lang": "en", "value": "OpenEMR is a free and open source electronic health records and medical practice management application. Prior to version 8.0.0.3, the PostCalendar module contains a blind SQL injection vulnerability in the `categoriesUpdate` administrative function. The `dels` POST parameter is read via `pnVarCleanFromInput()`, which only strips HTML tags and performs no SQL escaping. The value is then interpolated directly into a raw SQL `DELETE` statement that is executed unsanitized via Doctrine DBAL's `executeStatement()`. Version 8.0.0.3 patches the issue."}, {"lang": "es", "value": "OpenEMR es una aplicaci\u00f3n de gesti\u00f3n de registros de salud electr\u00f3nicos y pr\u00e1ctica m\u00e9dica gratuita y de c\u00f3digo abierto. Antes de la versi\u00f3n 8.0.0.3, el m\u00f3dulo PostCalendar contiene una vulnerabilidad de inyecci\u00f3n SQL ciega en la funci\u00f3n administrativa 'categoriesUpdate'. El par\u00e1metro POST 'dels' se lee a trav\u00e9s de 'pnVarCleanFromInput()', que solo elimina etiquetas HTML y no realiza ning\u00fan escape SQL. El valor se interpola directamente en una sentencia SQL 'DELETE' sin procesar que se ejecuta sin sanitizar a trav\u00e9s de 'executeStatement()' de Doctrine DBAL. La versi\u00f3n 8.0.0.3 corrige el problema."}], "id": "CVE-2026-33914", "lastModified": "2026-03-26T18:34:17.990", "metrics": {"cvssMetricV31": [{"cvssData": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "baseScore": 7.2, "baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "HIGH", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H", "version": "3.1"}, "exploitabilityScore": 1.2, "impactScore": 5.9, "source": "security-advisories@github.com", "type": "Secondary"}]}, "published": "2026-03-26T00:16:39.137", "references": [{"source": "security-advisories@github.com", "tags": ["Patch"], "url": "https://github.com/openemr/openemr/commit/1b851fc9af84f181ad7a84210a168d0d568cd442"}, {"source": "security-advisories@github.com", "tags": ["Product", "Release Notes"], "url": "https://github.com/openemr/openemr/releases/tag/v8_0_0_3"}, {"source": "security-advisories@github.com", "tags": ["Exploit", "Mitigation", "Vendor Advisory"], "url": "https://github.com/openemr/openemr/security/advisories/GHSA-rq3v-38x5-3rm5"}], "sourceIdentifier": "security-advisories@github.com", "vulnStatus": "Analyzed", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-89"}], "source": "security-advisories@github.com", "type": "Primary"}]}

{}

{"affected": [{"configurations": [{"platform": null, "status": "affected", "versions": {"scheme": "generic", "value": "[0,8.0.0.3)"}}], "enrichment": {"confidence": 100.0, "confidence_source": "matching", "scores": [{"score": 100.0, "source": "matching"}]}, "original": {"product": "openemr", "source": "cna", "vendor": "openemr"}, "product": "openemr", "vendor": "openemr"}], "analysis": {"en": {"generated_at": "2026-03-26T20:54:19.225870+00:00", "value": {"mitigation_remediation": ["Upgrade OpenEMR to version 8.0.0.3 or newer"], "summary": {"action": "Patch Now", "impact": "Data tampering via blind SQL injection"}, "threat_synthesis": {"affected_systems": "All OpenEMR installations that use the PostCalendar module and run any version older than 8.0.0.3 are affected. The vulnerability resides in the administrative category update path of the OpenEMR application as shipped by the openemr vendor.", "description_and_impact": "OpenEMR\u2019s PostCalendar module contains a blind SQL injection flaw in the categoriesUpdate administrative function. The function reads the \u2018dels\u2019 POST parameter with a routine that only strips HTML tags, then directly inserts the unescaped value into a raw SQL DELETE statement executed by Doctrine DBAL. Because the query is built without any escaping or parameterization, an attacker could inject additional SQL code, corrupting or deleting calendar categories and any related data. The compromised data could include appointment information and other user\u2011generated records, undermining the integrity of the electronic health record system.", "risk_and_exploitability": "The CVSS score of 7.2 indicates high severity, while the EPSS score of less than 1% suggests that automated exploitation is currently unlikely. The vulnerability is not listed in the CISA KEV catalog. Based on the description, the likely attack vector requires authenticated administrative access to the PostCalendar module; thus it is considered a targeted threat that can be leveraged by an attacker who obtains or compromises such credentials to delete critical data or disrupt service."}}}}, "created": "2026-03-26T11:31:14.029715+00:00", "updated": "2026-03-27T09:29:24.470906+00:00", "vendors": ["openemr", "openemr$PRODUCT$openemr"]}