What is the CVSS score of CVE-2026-33912?

CVE-2026-33912 has a CVSS 3.1 base score of 5.4 (Medium). CVSS vector: CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N. EPSS exploitation probability: 0.0%.

Which versions of Openemr are affected by CVE-2026-33912?

Organizations using OpenEMR should be aware of moderate risk from CVE-2026-33912, a cross-site scripting vulnerability rated CVSS 5.4.

How to fix or mitigate CVE-2026-33912?

Within 30 days: Identify affected systems and apply vendor patches as part of regular patch cycle. Verify Content-Security-Policy and output encoding.

Openemr CVE-2026-33912

MEDIUM

Cross-site Scripting (XSS) (CWE-79)

2026-03-25 GitHub_M

XSS Openemr

5.4

CVSS 3.1 · GitHub Advisory

Severity by source

GitHub Advisory PRIMARY

5.4 MEDIUM

AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N

Primary rating from GitHub Advisory · only source for this CVE.

CVSS VectorGitHub Advisory

CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N

Attack Vector

Network

Attack Complexity

Low

Privileges Required

Low

User Interaction

Required

Scope

Changed

Confidentiality

Low

Integrity

Low

Availability

None

Lifecycle Timeline

Analysis Generated

Mar 25, 2026 - 23:02 vuln.today

CVE Published

Mar 25, 2026 - 22:51 nvd

MEDIUM 5.4

DescriptionGitHub Advisory

OpenEMR is a free and open source electronic health records and medical practice management application. Prior to version 8.0.0.3, an authenticated attacker could craft a malicious form that, when submitted by a victim, executes arbitrary JavaScript in the victim's browser session. Version 8.0.0.3 patches the issue.

AnalysisAI

OpenEMR versions prior to 8.0.0.3 contain a stored cross-site scripting (XSS) vulnerability in form handling that allows authenticated attackers to inject malicious JavaScript into forms, which executes in the browser sessions of victims who submit those forms. An attacker with valid OpenEMR credentials can craft a malicious form that, upon submission by any user, executes arbitrary JavaScript with the privileges of the victim's session, potentially leading to session hijacking, credential theft, or unauthorized actions within the electronic health records system. …

Unlock full vulnerability intelligence

Risk assessment & exploitation conditions
Attack chain visualization
Remediation with exact patch versions
Threat intelligence from 22 sources
Personal watchlist & email alerts

Continue with Google Continue with GitHub

Free forever · No credit card required

Vulnerability AssessmentAI

Risk Assessment	The CVSS 3.1 score of 5.4 reflects a Medium severity rating with specific vector characteristics: Network attack vector (AV:N) means remote exploitation is possible, Low complexity (AC:L) indicates no special conditions needed, Low privilege requirement (PR:L) mandates prior authentication, and Required user interaction (UI:R) necessitates victim action. … Full risk analysis with EPSS, KEV, and SSVC signal comparison available after sign-in.
Exploit Scenario	A disgruntled healthcare staff member with valid OpenEMR credentials crafts a malicious patient intake form containing JavaScript that steals session tokens and forwards them to an attacker-controlled server. When a physician victim submits or reviews this form, the injected script silently executes in their authenticated browser session, allowing the attacker to assume the physician's identity and access sensitive patient records, modify medical histories, or intercept prescriptions. …
Remediation	Immediately upgrade OpenEMR to version 8.0.0.3 or later, which includes patches for form input sanitization and output encoding as detailed in the official release (https://github.com/openemr/openemr/releases/tag/v8_0_0_3). … Detailed patch versions, workarounds, and compensating controls in full report.

Recommended ActionAI

Within 30 days: Identify affected systems and apply vendor patches as part of regular patch cycle. …

Threat intelligence, references, and detailed analysis are available after sign-in.

CVE-2026-33912 vulnerability details – vuln.today

Back