CVE-2026-33299
Received Received - Intake
Stored XSS in OpenEMR Eye Exam Form Allows Script Injection

Publication date: 2026-03-19

Last updated on: 2026-03-20

Assigner: GitHub, Inc.

Description
OpenEMR is a free and open source electronic health records and medical practice management application. Prior to 8.0.0.2, users with the `Notes - my encounters` role can fill **Eye Exam** forms in patient encounters. The answers to the form are displayed on the encounter page and in the visit history for the users with the same role. There exists a stored cross-site scripting (XSS) vulnerability in the function to display the form answers, allowing any authenticated attacker with the specific role to insert arbitrary JavaScript into the system by entering malicious payloads to the form answers. The JavaScript code is later executed by any user with the form role when viewing the form answers in the patient encounter pages or visit history. Version 8.0.0.2 fixes the issue.
CVSS Scores
EPSS Scores
Probability:
Percentile:
Meta Information
Published
2026-03-19
Last Modified
2026-03-20
Generated
2026-06-16
AI Q&A
2026-03-19
EPSS Evaluated
2026-06-15
NVD
CVE-2026-33299
EUVD
EUVD-2026-13160
Affected Vendors & Products
Showing 1 associated CPE
Vendor Product Version / Range
open-emr openemr to 8.0.0.2 (exc)
Helpful Resources
Exploitability
CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-79 The product does not neutralize or incorrectly neutralizes user-controllable input before it is placed in output that is used as a web page that is served to other users.
Attack-Flow Graph
AI Quick Actions
Instant insights powered by AI
Executive Summary

[{'type': 'paragraph', 'content': 'CVE-2026-33299 is a stored cross-site scripting (XSS) vulnerability in OpenEMR versions prior to 8.0.0.2, specifically affecting the Eye Exam form answers within patient encounters.'}, {'type': 'paragraph', 'content': 'Users with the "Notes - my encounters" role can input malicious JavaScript payloads into the Eye Exam form fields. This malicious code is stored and later executed automatically when any user with the same role views the form answers on the encounter page, visit history, or when printing reports.'}, {'type': 'paragraph', 'content': 'The vulnerability arises from improper neutralization of user input in the function that displays Eye Exam form answers, where variables like $HPI1 are echoed without sanitization, allowing arbitrary JavaScript injection.'}, {'type': 'paragraph', 'content': 'This flaw allows an authenticated attacker with low privileges to inject malicious scripts that execute in the context of other users with the same role.'}] [1]

Impact Analysis

This vulnerability can lead to session hijacking, unauthorized actions, data exfiltration including sensitive patient records, and privilege escalation by targeting higher-privilege users who view the infected encounter data.

Because the malicious JavaScript executes in the context of other users with the same role, attackers can compromise medical data confidentiality and system integrity.

Compliance Impact

I don't know

Detection Guidance

[{'type': 'paragraph', 'content': 'This vulnerability can be detected by checking for the presence of malicious JavaScript payloads in the Eye Exam form answers within patient encounters in OpenEMR versions prior to 8.0.0.2. Specifically, look for suspicious input fields such as the HPI field containing scripts like <img src=x onerror=alert(document.cookie)> or other JavaScript code.'}, {'type': 'paragraph', 'content': 'Detection involves reviewing the database entries for the Eye Exam form answers for unsanitized or suspicious HTML/JavaScript content, especially in the fields displayed by the file openemr/interface/forms/eye_mag/report.php.'}, {'type': 'paragraph', 'content': "Since the vulnerability requires authenticated users with the 'Notes - my encounters' role, monitoring logs for unusual activity or unexpected JavaScript execution in the encounter pages or visit history can also help detect exploitation."}, {'type': 'paragraph', 'content': 'No specific commands are provided in the resources, but general approaches include:'}, {'type': 'list_item', 'content': 'Querying the database for Eye Exam form answer fields containing suspicious script tags or event handlers.'}, {'type': 'list_item', 'content': 'Using web application scanners or manual inspection of the Eye Exam form pages to identify stored XSS payloads.'}, {'type': 'list_item', 'content': 'Reviewing web server logs for unusual requests or errors related to the Eye Exam form.'}] [1]

Mitigation Strategies

[{'type': 'paragraph', 'content': 'The immediate and most effective mitigation step is to upgrade OpenEMR to version 8.0.0.2 or later, where the vulnerability has been fixed by properly sanitizing all user-supplied input in the Eye Exam form answers.'}, {'type': 'paragraph', 'content': "If upgrading immediately is not possible, consider restricting or disabling the 'Notes - my encounters' role from accessing or filling Eye Exam forms to prevent injection of malicious JavaScript."}, {'type': 'paragraph', 'content': 'Additionally, review and sanitize existing data in the Eye Exam form answers to remove any malicious scripts.'}, {'type': 'paragraph', 'content': 'Implement monitoring for suspicious activity related to the Eye Exam forms and educate users about the risk of entering untrusted input.'}] [1, 2]

Chat Assistant
Ask questions about this CVE
Hi! I’m here to help you understand CVE-2026-33299. Ask me anything about the vulnerability, its impact, or mitigation strategies.
0/70
EPSS Chart