CVE-2026-33348
HIGHCVSS Vector
CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:H/I:H/A:N
Lifecycle Timeline
2Tags
Description
OpenEMR is a free and open source electronic health records and medical practice management application. Users with the `Notes - my encounters` role can fill Eye Exam forms in patient encounters. The answers to the form are displayed on the encounter page and in the visit history for the users with the same role. Versions prior to 8.0.0.3 have a stored cross-site scripting (XSS) vulnerability in the function to display the form answers, allowing any authenticated attacker with the specific role to insert arbitrary JavaScript into the system by entering malicious payloads to the form answers. The JavaScript code is later executed by any user with the form role when viewing the form answers in the patient encounter pages or visit history. Version 8.0.0.3 contains a patch.
Analysis
A stored cross-site scripting (XSS) vulnerability exists in OpenEMR's Eye Exam form functionality that allows authenticated users with the 'Notes - my encounters' role to inject malicious JavaScript payloads through form answers. OpenEMR versions prior to 8.0.0.3 are affected. …
Sign in for full analysis, threat intelligence, and remediation guidance.
Remediation
Within 24 hours: Inventory all OpenEMR instances and confirm versions; disable or restrict access to the Eye Exam form functionality if possible; alert users not to click suspicious links from encounter notifications. Within 7 days: Implement compensating controls (WAF rules, role-based access restrictions, input validation strengthening); conduct audit logs for suspicious Eye Exam form submissions; review staff access levels to the 'Notes - my encounters' role. …
Sign in for detailed remediation steps.
Priority Score
Share
External POC / Exploit Code
Leaving vuln.today