Stored XSS Vulnerability in OpenEMR Affects Users on Eye Exam Forms
CVE-2026-33299

8.5HIGH

Key Information:

Vendor: Openemr
Status: Openemr
Vendor: CVE Published:; 19 March 2026

What is CVE-2026-33299?

OpenEMR, the widely-used electronic health records management application, is affected by a stored cross-site scripting (XSS) vulnerability prior to version 8.0.0.2. Users assigned the 'Notes - my encounters' role can maliciously manipulate Eye Exam forms during patient encounters, injecting arbitrary JavaScript into the system. This injected code can be executed by any user with the same role when they access the form answers in the encounter details, posing significant risks to patient data integrity and security. Upgrading to version 8.0.0.2 mitigates this risk.

Affected Version(s)

openemr < 8.0.0.2

References

https://github.com/openemr/openemr/security/advisories/GH...

x_refsource_CONFIRM

https://github.com/openemr/openemr/commit/dccc962f06bdf61...

x_refsource_MISC

CVSS V4

Score:

8.5

Severity:

HIGH

Confidentiality:

High

Integrity:

High

Availability:

None

Attack Vector:

Network

Attack Complexity:

Low

Attack Required:

None

Privileges Required:

Undefined

User Interaction:

Unknown

Download the Critical Vulnerability Management Cheat Sheet

Timeline

Vulnerability published
Mar 19, 2026
Vulnerability Reserved
Mar 18, 2026

CVE-2026-33299 Data

JSON

Openemr

What is CVE-2026-33299?

Affected Version(s)

References

CVSS V4

Timeline