CVE-2026-33913

HIGH
2026-03-25 GitHub_M
7.7
CVSS 3.1
Share

CVSS Vector

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:N/A:N
Attack Vector
Network
Attack Complexity
Low
Privileges Required
Low
User Interaction
None
Scope
Changed
Confidentiality
High
Integrity
None
Availability
None

Lifecycle Timeline

2
Analysis Generated
Mar 25, 2026 - 23:02 vuln.today
CVE Published
Mar 25, 2026 - 22:52 nvd
HIGH 7.7

Tags

XXE

Description

OpenEMR is a free and open source electronic health records and medical practice management application. Prior to version 8.0.0.3, an authenticated user with access to the Carecoordination module can upload a crafted CCDA document containing `<xi:include href="file:///etc/passwd" parse="text"/>` to read arbitrary files from the server. Version 8.0.0.3 patches the issue.

Analysis

OpenEMR versions prior to 8.0.0.3 contain an XML External Entity (XXE) injection vulnerability in the Carecoordination module that allows authenticated users to read arbitrary files from the server. Attackers can exploit this by uploading a maliciously crafted CCDA document containing XXE payloads to access sensitive server files such as /etc/passwd. …

Sign in for full analysis, threat intelligence, and remediation guidance.

Remediation

Within 24 hours: Identify all OpenEMR instances and document current versions; restrict access to the Carecoordination module to essential personnel only. Within 7 days: Implement network segmentation to limit OpenEMR server exposure; enable logging and monitoring for CCDA document uploads. …

Sign in for detailed remediation steps.

Full analysis requires sign-in

Get intelligence summaries, risk assessment, exploit details, threat intel, and remediation guidance.

Sign in - Free

Priority Score

39
Low Medium High Critical
KEV: 0
EPSS: +0.0
CVSS: +38
POC: 0

Share

CVE-2026-33913 vulnerability details – vuln.today
Back

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy