CVE-2026-33303
Stored XSS in OpenEMR Portal Login Allows Staff Session Hijack
Publication date: 2026-03-19
Last updated on: 2026-03-20
Assigner: GitHub, Inc.
Description
Description
CVSS Scores
EPSS Scores
| Probability: | |
| Percentile: |
Meta Information
Affected Vendors & Products
| Vendor | Product | Version / Range |
|---|---|---|
| open-emr | openemr | to 8.0.0.2 (exc) |
Helpful Resources
Exploitability
| CWE ID | Description |
|---|---|
| CWE-79 | The product does not neutralize or incorrectly neutralizes user-controllable input before it is placed in output that is used as a web page that is served to other users. |
Attack-Flow Graph
AI Powered Q&A
Can you explain this vulnerability to me?
[{'type': 'paragraph', 'content': 'CVE-2026-33303 is a stored cross-site scripting (XSS) vulnerability in OpenEMR versions prior to 8.0.0.2. It occurs because the patient portal login username (`portal_login_username`) is not properly escaped when displayed in the portal credential print view. A patient can set their login username to a malicious script payload, which then executes in the browser of a clinic staff member when they open the "Create Portal Login" page for that patient. This allows the malicious script to run in the staff/admin session context, crossing trust boundaries.'}] [2]
How can this vulnerability impact me? :
This vulnerability allows an authenticated patient portal user to inject and execute arbitrary JavaScript code in the browser of clinic staff members. The impact includes the ability for the attacker to access staff session cookies, read sensitive page content, and perform actions on behalf of the staff user. This can lead to unauthorized access to sensitive information and potentially further compromise of the system.
How does this vulnerability affect compliance with common standards and regulations (like GDPR, HIPAA)?:
I don't know
How can this vulnerability be detected on my network or system? Can you suggest some commands?
[{'type': 'paragraph', 'content': 'This vulnerability involves stored cross-site scripting (XSS) via the unescaped portal_login_username field in OpenEMR versions prior to 8.0.0.2. Detection involves identifying if any patient portal usernames contain malicious XSS payloads.'}, {'type': 'paragraph', 'content': 'One approach is to query the database for suspicious usernames that contain typical XSS payload patterns such as script tags or event handlers.'}, {'type': 'list_item', 'content': 'Run a SQL query on the patient_access_onsite table to find usernames with suspicious characters, for example: SELECT portal_login_username FROM patient_access_onsite WHERE portal_login_username LIKE \'%<%\' OR portal_login_username LIKE \'%"%\' OR portal_login_username LIKE \'%onerror=%\';'}, {'type': 'list_item', 'content': 'Monitor web server logs for unusual requests to the portal credential print view or the Create Portal Login page that might include suspicious payloads.'}, {'type': 'paragraph', 'content': 'Since the vulnerability requires a staff member to open the affected patientβs portal credential page, monitoring browser behavior or using web application security scanners that detect stored XSS in the portal credential print view may also help.'}] [2]
What immediate steps should I take to mitigate this vulnerability?
The primary mitigation is to upgrade OpenEMR to version 8.0.0.2 or later, where the vulnerability has been fixed by applying proper escaping to the portal_login_username field in the portal credential print template.
If immediate upgrade is not possible, restrict access to the patient portal credential print view and the Create Portal Login page to trusted staff only, and educate staff to be cautious when opening patient portal login pages.
Additionally, review and sanitize existing patient portal usernames in the database to remove any malicious payloads.
Implement web application firewall (WAF) rules to detect and block XSS payloads targeting the portal_login_username field.