Skip to main content

OpenEMR CVE-2026-33913

HIGH
Improper Restriction of XML External Entity Reference (CWE-611)
2026-03-25 GitHub_M
XXE
7.7
CVSS 3.1
Share

CVSS VectorNVD

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:N/A:N
Attack Vector
Network
Attack Complexity
Low
Privileges Required
Low
User Interaction
None
Scope
Changed
Confidentiality
High
Integrity
None
Availability
None

Lifecycle Timeline

2
Analysis Generated
Mar 25, 2026 - 23:02 vuln.today
CVE Published
Mar 25, 2026 - 22:52 nvd
HIGH 7.7

DescriptionNVD

OpenEMR is a free and open source electronic health records and medical practice management application. Prior to version 8.0.0.3, an authenticated user with access to the Carecoordination module can upload a crafted CCDA document containing <xi:include href="file:///etc/passwd" parse="text"/> to read arbitrary files from the server. Version 8.0.0.3 patches the issue.

AnalysisAI

OpenEMR versions prior to 8.0.0.3 contain an XML External Entity (XXE) injection vulnerability in the Carecoordination module that allows authenticated users to read arbitrary files from the server. Attackers can exploit this by uploading a maliciously crafted CCDA document containing XXE payloads to access sensitive server files such as /etc/passwd. …

Sign in for full analysis, threat intelligence, and remediation guidance.

RemediationAI

Within 24 hours: Identify all OpenEMR instances and document current versions; restrict access to the Carecoordination module to essential personnel only. Within 7 days: Implement network segmentation to limit OpenEMR server exposure; enable logging and monitoring for CCDA document uploads. …

Sign in for detailed remediation steps.

Full analysis requires sign-in

Get intelligence summaries, risk assessment, exploit details, threat intel, and remediation guidance.

Sign in - Free

Share

CVE-2026-33913 vulnerability details – vuln.today
Back

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy