CVE-2026-33301
Received Received - Intake
Arbitrary File Read in OpenEMR PDF Eye Exam Export

Publication date: 2026-03-19

Last updated on: 2026-03-20

Assigner: GitHub, Inc.

Description
OpenEMR is a free and open source electronic health records and medical practice management application. Prior to 8.0.0.2, users with the `Notes - my encounters` role can fill Eye Exam forms in patient encounters. The answers to the form can be printed out in PDF form. An arbitrary file read vulnerability was identified in the PDF creation function where the form answers are parsed as unescaped HTML, allowing an attacker to include arbitrary image files from the server in the generated PDF. Version 8.0.0.2 fixes the issue.
CVSS Scores
EPSS Scores
Probability:
Percentile:
Meta Information
Published
2026-03-19
Last Modified
2026-03-20
Generated
2026-06-16
AI Q&A
2026-03-19
EPSS Evaluated
2026-06-15
NVD
CVE-2026-33301
EUVD
EUVD-2026-13162
Affected Vendors & Products
Showing 1 associated CPE
Vendor Product Version / Range
open-emr openemr to 8.0.0.2 (exc)
Helpful Resources
Exploitability
CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-116 The product prepares a structured message for communication with another component, but encoding or escaping of the data is either missing or done incorrectly. As a result, the intended structure of the message is not preserved.
Attack-Flow Graph
AI Quick Actions
Instant insights powered by AI
Executive Summary

[{'type': 'paragraph', 'content': 'CVE-2026-33301 is an arbitrary file read vulnerability in OpenEMR versions prior to 8.0.0.2, specifically in the PDF generation function for Eye Exam forms.'}, {'type': 'paragraph', 'content': "Users with the 'Notes - my encounters' role can inject unescaped HTML image tags into the form answers. When the PDF is generated, the server reads and embeds the referenced local files from the server filesystem into the PDF."}, {'type': 'paragraph', 'content': 'This allows an attacker with limited privileges to read arbitrary files on the server, potentially exposing sensitive patient data or other confidential information.'}] [1]

Impact Analysis

This vulnerability can lead to unauthorized disclosure of sensitive information by allowing an attacker to read arbitrary files on the OpenEMR server.

  • Exposure of sensitive patient data stored on the server.
  • Disclosure of confidential server files that could aid further attacks.
  • Potential privacy violations due to leakage of protected health information.
Compliance Impact

I don't know

Detection Guidance

[{'type': 'paragraph', 'content': 'This vulnerability can be detected by verifying if your OpenEMR installation is a version prior to 8.0.0.2 and if users with the "Notes - my encounters" role can insert unescaped HTML image tags in the Eye Exam form\'s HPI field.'}, {'type': 'paragraph', 'content': 'A practical detection method involves attempting to reproduce the exploit steps in a controlled environment:'}, {'type': 'list_item', 'content': 'Place an arbitrary image file on the server.'}, {'type': 'list_item', 'content': 'Log in as a user with the "Notes - my encounters" role.'}, {'type': 'list_item', 'content': 'Open or create a patient encounter and access the Eye Exam form.'}, {'type': 'list_item', 'content': 'Insert an HTML image tag referencing a local file path (e.g., <img src=file:///path/to/file>) in the HPI field.'}, {'type': 'list_item', 'content': 'Save the form and generate the PDF report.'}, {'type': 'paragraph', 'content': 'If the generated PDF includes the referenced local file, the vulnerability is present.'}, {'type': 'paragraph', 'content': 'No specific network commands are provided in the available resources, but monitoring PDF generation logs or scanning for OpenEMR versions prior to 8.0.0.2 can help identify vulnerable systems.'}] [1]

Mitigation Strategies

[{'type': 'paragraph', 'content': 'The immediate and recommended mitigation is to upgrade OpenEMR to version 8.0.0.2 or later, where the vulnerability has been fixed by sanitizing form output to prevent injection of unescaped HTML.'}, {'type': 'paragraph', 'content': 'Until the upgrade can be performed, restrict or review user permissions to ensure that only trusted users have the "Notes - my encounters" role, as this role is required to exploit the vulnerability.'}, {'type': 'paragraph', 'content': 'Additionally, monitor and audit PDF generation activities for suspicious or unexpected file inclusions.'}] [1]

Chat Assistant
Ask questions about this CVE
Hi! I’m here to help you understand CVE-2026-33301. Ask me anything about the vulnerability, its impact, or mitigation strategies.
0/70
EPSS Chart