Reflected XSS Vulnerability in OpenEMR Electronic Health Records Software
CVE-2026-33933

6.1MEDIUM

Key Information:

Vendor

Openemr

Status
Openemr
Vendor
CVE Published:
25 March 2026

What is CVE-2026-33933?

OpenEMR, a widely-used open-source electronic health records and medical practice management application, is affected by a reflected cross-site scripting (XSS) vulnerability found in the custom template editor. This vulnerability allows attackers to inject and execute arbitrary JavaScript code in the web browsers of authenticated staff members without requiring an OpenEMR account. The issue exists in versions 7.0.2.1 and earlier up until version 8.0.0.3, which has successfully addressed this security concern. Organizations utilizing affected versions are strongly encouraged to update to version 8.0.0.3 or later to mitigate potential security risks.

Affected Version(s)

openemr >= 7.0.2.1, < 8.0.0.3

References

https://github.com/openemr/openemr/security/advisories/GH...
x_refsource_CONFIRM
https://github.com/openemr/openemr/commit/d5c8d49ef199834...
x_refsource_MISC
https://github.com/openemr/openemr/commit/de9b6eb0da57443...
x_refsource_MISC

CVSS V3.1

Score:
6.1
Severity:
MEDIUM
Confidentiality:
Low
Integrity:
Low
Availability:
Low
Attack Vector:
Network
Attack Complexity:
Low
Privileges Required:
None
User Interaction:
Required
Scope:
Changed

Timeline

  • Vulnerability published

  • Vulnerability Reserved

.