CVE-2026-33933

{"id": "CVE-2026-33933", "cveTags": [], "metrics": {"cvssMetricV31": [{"type": "Secondary", "source": "security-advisories@github.com", "cvssData": {"scope": "CHANGED", "version": "3.1", "baseScore": 6.1, "attackVector": "NETWORK", "baseSeverity": "MEDIUM", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N", "integrityImpact": "LOW", "userInteraction": "REQUIRED", "attackComplexity": "LOW", "availabilityImpact": "NONE", "privilegesRequired": "NONE", "confidentialityImpact": "LOW"}, "impactScore": 2.7, "exploitabilityScore": 2.8}]}, "published": "2026-03-26T00:16:40.120", "references": [{"url": "https://github.com/openemr/openemr/commit/d5c8d49ef19983472b2d7db0dbebd2dac9d6a200", "tags": ["Patch"], "source": "security-advisories@github.com"}, {"url": "https://github.com/openemr/openemr/commit/de9b6eb0da574430e8223c014cf4a05b0adc29d8", "tags": ["Patch"], "source": "security-advisories@github.com"}, {"url": "https://github.com/openemr/openemr/releases/tag/v8_0_0_3", "tags": ["Product"], "source": "security-advisories@github.com"}, {"url": "https://github.com/openemr/openemr/security/advisories/GHSA-9qh7-cfq4-j7c3", "tags": ["Exploit", "Vendor Advisory"], "source": "security-advisories@github.com"}, {"url": "https://github.com/openemr/openemr/security/advisories/GHSA-9qh7-cfq4-j7c3", "tags": ["Exploit", "Vendor Advisory"], "source": "134c704f-9b21-4f2e-91b3-4a467353bcc0"}], "vulnStatus": "Analyzed", "weaknesses": [{"type": "Secondary", "source": "security-advisories@github.com", "description": [{"lang": "en", "value": "CWE-79"}]}], "descriptions": [{"lang": "en", "value": "OpenEMR is a free and open source electronic health records and medical practice management application. Starting in version 7.0.2.1 and prior to version 8.0.0.3, a reflected cross-site scripting (XSS) vulnerability in the custom template editor allows an attacker to execute arbitrary JavaScript in an authenticated staff member's browser session by sending them a crafted URL. The attacker does not need an OpenEMR account. Version 8.0.0.3 patches the issue."}, {"lang": "es", "value": "OpenEMR es una aplicaci\u00f3n gratuita y de c\u00f3digo abierto de registros de salud electr\u00f3nicos y gesti\u00f3n de consultorios m\u00e9dicos. A partir de la versi\u00f3n 7.0.2.1 y antes de la versi\u00f3n 8.0.0.3, una vulnerabilidad de cross-site scripting (XSS) reflejado en el editor de plantillas personalizadas permite a un atacante ejecutar JavaScript arbitrario en la sesi\u00f3n del navegador de un miembro del personal autenticado envi\u00e1ndoles una URL manipulada. El atacante no necesita una cuenta de OpenEMR. La versi\u00f3n 8.0.0.3 corrige el problema."}], "lastModified": "2026-03-26T16:17:56.660", "configurations": [{"nodes": [{"negate": false, "cpeMatch": [{"criteria": "cpe:2.3:a:open-emr:openemr:*:*:*:*:*:*:*:*", "vulnerable": true, "matchCriteriaId": "37A001F6-4070-4BC4-8A5A-B4CCEA856E39", "versionEndExcluding": "8.0.0.3", "versionStartIncluding": "7.0.2.1"}], "operator": "OR"}]}], "sourceIdentifier": "security-advisories@github.com"}