CVE-2026-33348
Stored XSS in OpenEMR Eye Exam Form Allows Script Injection
Publication date: 2026-03-25
Last updated on: 2026-03-26
Assigner: GitHub, Inc.
Description
Description
CVSS Scores
EPSS Scores
| Probability: | |
| Percentile: |
Meta Information
Affected Vendors & Products
| Vendor | Product | Version / Range |
|---|---|---|
| open-emr | openemr | to 8.0.0.3 (exc) |
Helpful Resources
Exploitability
| CWE ID | Description |
|---|---|
| CWE-79 | The product does not neutralize or incorrectly neutralizes user-controllable input before it is placed in output that is used as a web page that is served to other users. |
Attack-Flow Graph
AI Powered Q&A
Can you explain this vulnerability to me?
This vulnerability is a stored cross-site scripting (XSS) issue in OpenEMR versions prior to 8.0.0.3. It affects users with the 'Notes - my encounters' role who can fill Eye Exam forms in patient encounters. An authenticated attacker with this role can insert malicious JavaScript code into the form answers. This code is then executed by any user with the same role when they view the form answers on patient encounter pages or visit history.
How can this vulnerability impact me? :
The vulnerability allows an attacker to execute arbitrary JavaScript code within the context of the application for users with the specific role. This can lead to unauthorized actions such as stealing session tokens, manipulating data, or performing actions on behalf of other users. Because the vulnerability affects confidentiality and integrity, it can compromise sensitive patient information and disrupt normal operations.
What immediate steps should I take to mitigate this vulnerability?
To mitigate this stored cross-site scripting (XSS) vulnerability in OpenEMR, you should upgrade your OpenEMR installation to version 8.0.0.3 or later, as this version contains the patch that fixes the issue.
How does this vulnerability affect compliance with common standards and regulations (like GDPR, HIPAA)?:
The vulnerability in OpenEMR allows authenticated users with a specific role to inject and execute arbitrary JavaScript code via stored cross-site scripting (XSS) in patient encounter forms. This can lead to unauthorized access or manipulation of sensitive patient data.
Such a vulnerability can impact compliance with regulations like GDPR and HIPAA, which require the protection of personal health information and mandate safeguards against unauthorized access and data breaches.
By enabling potential unauthorized data exposure or manipulation, this vulnerability could lead to violations of these standards, resulting in legal and regulatory consequences for affected organizations.
How can this vulnerability be detected on my network or system? Can you suggest some commands?
This vulnerability can be detected by checking if the OpenEMR instance is running a vulnerable version (prior to 8.0.0.3) and by inspecting the Eye Exam form data for malicious JavaScript payloads in the Chronic Problems fields ($CHRONIC2 and $CHRONIC3).
To detect exploitation attempts or presence of malicious payloads, you can search the database or application logs for suspicious input containing JavaScript tags such as <img> tags with onerror attributes or other script injections in the Eye Exam form fields.
Example commands to detect potential exploitation include:
- Using SQL queries to search for suspicious payloads in the Chronic Problems fields, e.g., searching for '<img' or 'onerror' strings in the relevant database columns.
- Example SQL command (adjust table and column names as per your database schema):
- SELECT * FROM eye_exam_form_data WHERE chronic2 LIKE '%<img%' OR chronic3 LIKE '%<img%';
- Review web server or application logs for unusual input patterns or errors triggered by script execution.
- Use web vulnerability scanners or tools that detect stored XSS vulnerabilities by simulating input of JavaScript payloads into the Eye Exam form fields and observing if the payload executes when viewing the form answers.