CVE-2026-33932

OpenEMR is a free and open source electronic health records and medical practice management application. Prior to version 8.0.0.3, a stored cross-site scripting vulnerability in the CCDA document preview allows an attacker who can upload or send a CCDA document to execute arbitrary JavaScript in a clinician's browser session when the document is previewed. The XSL stylesheet sanitizes attributes for all other narrative elements but not for `linkHtml`, allowing `href="javascript:..."` and event handler attributes to pass through unchanged. Version 8.0.0.3 patches the issue.

CVSS v3 7.6 HIGH

7.6^/10

CVSS v3 : HIGH

Vector :

Exploitability : 2.3 / Impact : 4.7

Attack Vector NETWORK

Attack Complexity LOW

Privileges Required LOW

User Interaction REQUIRED

Confidentiality Impact HIGH

Integrity Impact LOW

Availability Impact NONE

Scope CHANGED

References

Link	Resource
https://github.com/openemr/openemr/commit/95e6078889b5399b12b59117f998560cd94bd47d	Patch
https://github.com/openemr/openemr/releases/tag/v8_0_0_3	Product
https://github.com/openemr/openemr/security/advisories/GHSA-g77x-9p3x-2j8f	Vendor Advisory

Configurations

Configuration 1 (hide)

cpe:2.3:a:open-emr:openemr:*:*:*:*:*:*:*:*

History

No history.

Information

Published : 2026-03-26 00:16

Updated : 2026-03-26 16:27

NVD link : CVE-2026-33932

Mitre link : CVE-2026-33932

CVE.ORG link : CVE-2026-33932

JSON object : View

Products Affected

open-emr

openemr

CWE

CWE-79

Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')

{"id": "CVE-2026-33932", "cveTags": [], "metrics": {"cvssMetricV31": [{"type": "Secondary", "source": "security-advisories@github.com", "cvssData": {"scope": "CHANGED", "version": "3.1", "baseScore": 7.6, "attackVector": "NETWORK", "baseSeverity": "HIGH", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:H/I:L/A:N", "integrityImpact": "LOW", "userInteraction": "REQUIRED", "attackComplexity": "LOW", "availabilityImpact": "NONE", "privilegesRequired": "LOW", "confidentialityImpact": "HIGH"}, "impactScore": 4.7, "exploitabilityScore": 2.3}, {"type": "Primary", "source": "nvd@nist.gov", "cvssData": {"scope": "CHANGED", "version": "3.1", "baseScore": 5.4, "attackVector": "NETWORK", "baseSeverity": "MEDIUM", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N", "integrityImpact": "LOW", "userInteraction": "REQUIRED", "attackComplexity": "LOW", "availabilityImpact": "NONE", "privilegesRequired": "LOW", "confidentialityImpact": "LOW"}, "impactScore": 2.7, "exploitabilityScore": 2.3}]}, "published": "2026-03-26T00:16:39.953", "references": [{"url": "https://github.com/openemr/openemr/commit/95e6078889b5399b12b59117f998560cd94bd47d", "tags": ["Patch"], "source": "security-advisories@github.com"}, {"url": "https://github.com/openemr/openemr/releases/tag/v8_0_0_3", "tags": ["Product"], "source": "security-advisories@github.com"}, {"url": "https://github.com/openemr/openemr/security/advisories/GHSA-g77x-9p3x-2j8f", "tags": ["Vendor Advisory"], "source": "security-advisories@github.com"}], "vulnStatus": "Analyzed", "weaknesses": [{"type": "Primary", "source": "security-advisories@github.com", "description": [{"lang": "en", "value": "CWE-79"}]}], "descriptions": [{"lang": "en", "value": "OpenEMR is a free and open source electronic health records and medical practice management application. Prior to version 8.0.0.3, a stored cross-site scripting vulnerability in the CCDA document preview allows an attacker who can upload or send a CCDA document to execute arbitrary JavaScript in a clinician's browser session when the document is previewed. The XSL stylesheet sanitizes attributes for all other narrative elements but not for `linkHtml`, allowing `href=\"javascript:...\"` and event handler attributes to pass through unchanged. Version 8.0.0.3 patches the issue."}, {"lang": "es", "value": "OpenEMR es una aplicaci\u00f3n de c\u00f3digo abierto y gratuita para registros de salud electr\u00f3nicos y gesti\u00f3n de consultorios m\u00e9dicos. Antes de la versi\u00f3n 8.0.0.3, una vulnerabilidad de cross-site scripting almacenado en la vista previa de documentos CCDA permite a un atacante que puede cargar o enviar un documento CCDA ejecutar JavaScript arbitrario en la sesi\u00f3n del navegador de un cl\u00ednico cuando se previsualiza el documento. La hoja de estilo XSL sanitiza los atributos para todos los dem\u00e1s elementos narrativos, pero no para 'linkHtml', permitiendo que 'href=\"javascript:...\"' y los atributos de gestor de eventos pasen sin cambios. La versi\u00f3n 8.0.0.3 corrige el problema."}], "lastModified": "2026-03-26T16:27:53.530", "configurations": [{"nodes": [{"negate": false, "cpeMatch": [{"criteria": "cpe:2.3:a:open-emr:openemr:*:*:*:*:*:*:*:*", "vulnerable": true, "matchCriteriaId": "E3E098AF-42A1-4798-85A7-80052F19F809", "versionEndExcluding": "8.0.0.3"}], "operator": "OR"}]}], "sourceIdentifier": "security-advisories@github.com"}