Stored XSS Vulnerability in OpenEMR Affects Patient Encounter Forms
CVE-2026-33348

8.7HIGH

Key Information:

Vendor

Openemr

Status
Openemr
Vendor
CVE Published:
25 March 2026

What is CVE-2026-33348?

OpenEMR, an open-source electronic health records and medical practice management application, is susceptible to a stored cross-site scripting (XSS) vulnerability. This issue arises due to improper handling of form inputs in the Notes - my encounters role, specifically when users fill out Eye Exam forms. Attackers with this role can input malicious JavaScript code into the responses, which is subsequently displayed on the encounter pages and visit history for all users with the same role. This vulnerability is patched in version 8.0.0.3, which addresses the insecure functionality allowing arbitrary code execution when displaying form results.

Affected Version(s)

openemr < 8.0.0.3

References

https://github.com/openemr/openemr/security/advisories/GH...
x_refsource_CONFIRM
https://github.com/openemr/openemr/commit/f488efbe3eb7f17...
x_refsource_MISC
https://github.com/openemr/openemr/releases/tag/v8_0_0_3
x_refsource_MISC

CVSS V3.1

Score:
8.7
Severity:
HIGH
Confidentiality:
High
Integrity:
High
Availability:
High
Attack Vector:
Network
Attack Complexity:
Low
Privileges Required:
Low
User Interaction:
Required
Scope:
Changed

Timeline

  • Vulnerability published

  • Vulnerability Reserved

.