What is the CVSS score of CVE-2026-33933?

CVE-2026-33933 has a CVSS 3.1 base score of 6.1 (Medium). CVSS vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N. EPSS exploitation probability: 0.0%.

Which versions of Openemr are affected by CVE-2026-33933?

Organizations using version 7.0.2.1 and should be aware of moderate risk from CVE-2026-33933, a cross-site scripting vulnerability rated CVSS 6.1.

Openemr CVE-2026-33933

MEDIUM

Cross-site Scripting (XSS) (CWE-79)

2026-03-26 security-advisories@github.com

XSS Openemr

6.1

CVSS 3.1 · GitHub Advisory

Severity by source

GitHub Advisory PRIMARY

6.1 MEDIUM

AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N

Primary rating from GitHub Advisory · only source for this CVE.

CVSS VectorGitHub Advisory

CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N

Attack Vector

Network

Attack Complexity

Low

Privileges Required

None

User Interaction

Required

Scope

Changed

Confidentiality

Low

Integrity

Low

Availability

None

Lifecycle Timeline

Analysis Generated

Mar 26, 2026 - 00:22 vuln.today

CVE Published

Mar 26, 2026 - 00:16 nvd

MEDIUM 6.1

DescriptionGitHub Advisory

OpenEMR is a free and open source electronic health records and medical practice management application. Starting in version 7.0.2.1 and prior to version 8.0.0.3, a reflected cross-site scripting (XSS) vulnerability in the custom template editor allows an attacker to execute arbitrary JavaScript in an authenticated staff member's browser session by sending them a crafted URL. The attacker does not need an OpenEMR account. Version 8.0.0.3 patches the issue.

AnalysisAI

A reflected cross-site scripting (XSS) vulnerability exists in the custom template editor of OpenEMR, a widely-deployed open-source electronic health records system. Attackers can craft malicious URLs that, when clicked by authenticated staff members, execute arbitrary JavaScript within their browser sessions and gain access to sensitive medical data and system functions; notably, the attacker does not require an OpenEMR account themselves. …

Unlock full vulnerability intelligence

Risk assessment & exploitation conditions
Attack chain visualization
Remediation with exact patch versions
Threat intelligence from 22 sources
Personal watchlist & email alerts

Continue with Google Continue with GitHub

Free forever · No credit card required

Vulnerability AssessmentAI

Risk Assessment	The CVSS 3.1 score of 6.1 reflects a network-accessible vulnerability with low attack complexity, no privilege requirements for the attacker, but user interaction (the staff member must click the malicious link) and changed scope. … Full risk analysis with EPSS, KEV, and SSVC signal comparison available after sign-in.
Exploit Scenario	An attacker researches a healthcare organization's use of OpenEMR and crafts a malicious URL containing JavaScript payload in the custom template editor parameter. The attacker emails a clinic manager with a pretext message (e.g., 'Click here to view your updated template'), embedding the malicious URL. …
Remediation	Immediately upgrade OpenEMR to version 8.0.0.3 or later, which contains the patches committed in https://github.com/openemr/openemr/commit/d5c8d49ef19983472b2d7db0dbebd2dac9d6a200 and https://github.com/openemr/openemr/commit/de9b6eb0da574430e8223c014cf4a05b0adc29d8. … Detailed patch versions, workarounds, and compensating controls in full report.

Recommended ActionAI

Within 30 days: Identify affected systems running version 7.0.2.1 and and apply vendor patches as part of regular patch cycle. …

Threat intelligence, references, and detailed analysis are available after sign-in.

CVE-2026-33933 vulnerability details – vuln.today

Back