CVE-2026-33914 is a blind SQL injection vulnerability (CVSS 7.2) in OpenEMR versions prior to 8.0.0.3, affecting the PostCalendar module’s categoriesUpdate function. Exploitation requires valid administrative credentials but enables arbitrary SQL execution against the backend database, placing protected health information at risk and creating HIPAA breach notification exposure. Upgrade to OpenEMR 8.0.0.3 immediately and apply related consolidated CVEs CVE-2026-33917, CVE-2026-33918, and CVE-2026-33932 from the same release; if PHI exposure cannot be ruled out through log review, engage your privacy officer.