OpenEMR Flaws Expose Patient Search to SQL Injection and Eye Exam Forms to Stored XSS
OpenEMR disclosed two high-severity vulnerabilities affecting versions prior to 8.0.0.3, including an authenticated blind boolean-based SQL injection tracked as CVE-2026-29187 and a stored cross-site scripting flaw tracked as CVE-2026-33348. The SQL injection issue resides in the Patient Search component at /interface/new/new_search_popup.php and can be triggered by manipulating HTTP parameter keys rather than values, allowing a low-privileged authenticated attacker to target sensitive data and application integrity without user interaction.
The second flaw affects the Eye Exam form workflow, where a user with the Notes - my encounters role can inject malicious JavaScript into form answers such as $CHRONIC2 and $CHRONIC3. That payload is later executed when users with the same role view the encounter page or visit history, creating a stored XSS path inside the clinical workflow. Both issues were assigned on March 25, 2026, mapped to CWE-89 and CWE-79 respectively, and were patched in OpenEMR 8.0.0.3, with fixes published through the project release, commit history, and security advisory.
Get ahead of threats like this
Mallory correlates global threat intelligence with your attack surface — know if you’re exposed before adversaries strike.
How this story unfolded
3 events from the most recent confirmed update back to the earliest known activity.
CVE-2026-33348 and CVE-2026-29187 are publicly disclosed
Public advisories described two high-severity OpenEMR vulnerabilities: a stored cross-site scripting flaw exploitable by authenticated users with the 'Notes - my encounters' role, and an authenticated blind boolean-based SQL injection issue in Patient Search. Both disclosures referenced GitHub security advisories, fixes, and CVSS scoring.
OpenEMR 8.0.0.3 released with fixes for XSS and SQL injection flaws
OpenEMR version 8.0.0.3 was identified as the patched release for both vulnerabilities. The release and associated fixing commits addressed the stored XSS issue in encounter Eye Exam form handling and the blind SQL injection flaw in /interface/new/new_search_popup.php.
OpenEMR receives reports for two vulnerabilities
Security reports for CVE-2026-33348 and CVE-2026-29187 were received by security-advisories@github.com. The issues affected OpenEMR versions prior to 8.0.0.3 and involved stored XSS in Eye Exam forms and authenticated blind SQL injection in patient search functionality.
Related entities
Vulnerabilities, threat actors, malware, products, organizations, and breaches Mallory has linked to this story.
Sources
2 references tracked. Mallory keeps watching after this page renders.
CVE-2026-29187 - OpenEMR Vulnerable to Authenticated Blind Boolean-Based SQL Injection in new_search_popup.php
cvefeed.io
Open sourceCVE-2026-33348 - OpenEMR has Stored XSS in patient encounter Eye Exam form $CHRONIC2 and $CHRONIC3
cvefeed.io
Open sourceSee the full picture, correlated to your attack surface.
Map indicators from this story to your assets and identify affected systems in minutes.
Every observed campaign, victim, and pivot linked to actors named in this story.
Malware, exploits, and IOCs connected to the activity described here.
YARA, Sigma, and Snort rules deployed to your SIEM as soon as they’re published.
Get matching new stories delivered to your team as they break — not the next morning.
Ask questions about this story and take action on the answers.
Related stories
Other stories Mallory is tracking that overlap on entities, sources, or topic labels.
Multiple Critical Vulnerabilities in Imaster MEMS Events CRM and Patient Records Management Systems
Several critical and high-severity vulnerabilities have been identified in Imaster's MEMS Events CRM and Patient Records Management System, including SQL injection and stored Cross-Site Scripting (XSS) flaws. The vulnerabilities, tracked as CVE-2025-41003, CVE-2025-41004, CVE-2025-41005, and CVE-2025-41006, were discovered by Gonzalo Aguilar García (6h4ack) and coordinated by INCIBE. Specifically, SQL injection vulnerabilities exist in the 'id' parameter of `/projects/hospital/admin/complaints.php` (CVE-2025-41004), the 'keyword' parameter of `/memsdemo/exchange_offers.php` (CVE-2025-41005), and the 'phone' parameter of `/memsdemo/login.php` (CVE-2025-41006`). Additionally, a stored XSS vulnerability (CVE-2025-41003) affects the 'firstname' parameter in `/projects/hospital/admin/edit_patient.php`. All vulnerabilities are remotely exploitable, with CVSS v4.0 base scores ranging from 5.1 (medium) to 9.3 (critical), and no patches have been reported as available. The vulnerabilities impact enterprise management software used for event and patient record management, posing significant risks of unauthorized access, data exfiltration, and potential compromise of sensitive information. The SQL injection flaws, in particular, allow attackers to execute arbitrary SQL commands, potentially leading to full database compromise. The stored XSS vulnerability enables the execution of arbitrary JavaScript in the context of affected users, increasing the risk of session hijacking and further exploitation. Organizations using Imaster's MEMS Events CRM or Patient Records Management System should urgently assess their exposure and implement compensating controls until official fixes are released.
Mar 21, 2026
SQL Injection Flaws Expose SourceCodester and CodeAstro Management Apps
MITRE has published two high-severity SQL injection vulnerabilities affecting widely available PHP-based management applications: **SourceCodester Payroll Management and Information System v1.0** and **CodeAstro Simple Attendance Management System v1.0**. The SourceCodester issue, tracked as `CVE-2026-37347`, affects `/payroll/view_employee.php` and is classified as `CWE-89`; its CVSS v3.1 vector `AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:N` indicates remote exploitation with no privileges or user interaction required, with high impact to confidentiality and integrity. The CodeAstro flaw, `CVE-2026-37749`, is also a `CWE-89` SQL injection bug and affects `index.php`, where the `username` parameter can be abused by remote, unauthenticated attackers to bypass authentication. Its CVSS v3.1 vector `AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H` reflects high impact across confidentiality, integrity, and availability. Both CVE entries were updated with severity details and public references, including GitHub documentation, underscoring the exposure of internet-reachable administrative and employee-management functions to straightforward injection attacks.
Apr 17, 2026
ChurchCRM Fixed Two SQL Injection Flaws in Property and Fundraiser Functions
ChurchCRM fixed two SQL injection vulnerabilities affecting versions prior to `7.1.0`, both of which could be exploited by authenticated users with low privileges to access or alter backend data. One flaw, tracked as `CVE-2026-34402`, was a time-based blind SQL injection in `PropertyAssign.php` that could be abused by users with **Edit Records** or **Manage Groups** permissions to exfiltrate or modify arbitrary database content, including user credentials, personally identifiable information, and configuration secrets. A second flaw, `CVE-2026-35566`, affected `src/Reports/FundRaiserStatement.php`, where an unquoted `$_SESSION['iCurrentFundraiser']` value was used in a numeric SQL context without integer validation after being set through `src/FundRaiserEditor.php`. The issue carried critical impact because it could compromise confidentiality, integrity, and availability, while both vulnerabilities were classified as `CWE-89` and addressed in ChurchCRM `7.1.0` through published GitHub security advisories.
Apr 7, 2026