Monitor vulnerabilities like this one.
Sign up free to get alerted when software you use is affected.
7.2
OpenEMR PostCalendar module exposes sensitive data
CVE-2026-33914
Summary
OpenEMR's PostCalendar module in versions prior to 8.0.0.3 has a security flaw that could allow unauthorized access to sensitive information. This affects medical practices using OpenEMR. To protect your data, update to version 8.0.0.3 or later.
Original title
OpenEMR is a free and open source electronic health records and medical practice management application. Prior to version 8.0.0.3, the PostCalendar module contains a blind SQL injection vulnerabili...
Original description
OpenEMR is a free and open source electronic health records and medical practice management application. Prior to version 8.0.0.3, the PostCalendar module contains a blind SQL injection vulnerability in the `categoriesUpdate` administrative function. The `dels` POST parameter is read via `pnVarCleanFromInput()`, which only strips HTML tags and performs no SQL escaping. The value is then interpolated directly into a raw SQL `DELETE` statement that is executed unsanitized via Doctrine DBAL's `executeStatement()`. Version 8.0.0.3 patches the issue.
nvd CVSS3.1
7.2
Vulnerability type
CWE-89
SQL Injection
Published: 26 Mar 2026 · Updated: 26 Mar 2026 · First seen: 26 Mar 2026