CVE-2026-33932
Received Received - Intake
Stored XSS in OpenEMR CCDA Preview Enables Arbitrary Script Execution

Publication date: 2026-03-26

Last updated on: 2026-03-26

Assigner: GitHub, Inc.

Description
OpenEMR is a free and open source electronic health records and medical practice management application. Prior to version 8.0.0.3, a stored cross-site scripting vulnerability in the CCDA document preview allows an attacker who can upload or send a CCDA document to execute arbitrary JavaScript in a clinician's browser session when the document is previewed. The XSL stylesheet sanitizes attributes for all other narrative elements but not for `linkHtml`, allowing `href="javascript:..."` and event handler attributes to pass through unchanged. Version 8.0.0.3 patches the issue.
CVSS Scores
EPSS Scores
Probability:
Percentile:
Meta Information
Published
2026-03-26
Last Modified
2026-03-26
Generated
2026-06-16
AI Q&A
2026-03-26
EPSS Evaluated
2026-06-15
NVD
CVE-2026-33932
Affected Vendors & Products
Showing 1 associated CPE
Vendor Product Version / Range
open-emr openemr to 8.0.0.3 (exc)
Helpful Resources
Exploitability
CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-79 The product does not neutralize or incorrectly neutralizes user-controllable input before it is placed in output that is used as a web page that is served to other users.
Attack-Flow Graph
AI Quick Actions
Instant insights powered by AI
Executive Summary

CVE-2026-33932 is a stored cross-site scripting (XSS) vulnerability in OpenEMR's CCDA document preview feature affecting versions prior to 8.0.0.3.

The vulnerability occurs because the XSL stylesheet used to render CCDA documents sanitizes attributes for most narrative elements but does not sanitize attributes in the linkHtml element.

Specifically, the linkHtml template copies all attributes verbatim, allowing malicious href attributes like "javascript:" URIs and event handler attributes to pass through unsanitized.

An attacker who can upload or send a CCDA document can embed malicious JavaScript in a linkHtml element. When a clinician previews the document, the JavaScript executes in their browser session.

This enables execution of arbitrary JavaScript, potentially leading to session hijacking, unauthorized access to protected health information, and privilege escalation.

Impact Analysis

This vulnerability can have serious impacts including:

  • Execution of arbitrary JavaScript in a clinician's browser session.
  • Hijacking of user sessions by accessing session cookies, which are not protected by httpOnly flags.
  • Unauthorized access to protected health information (PHI).
  • Privilege escalation within the OpenEMR system.

The vulnerability requires an attacker to have the ability to upload or send a CCDA document, which could be possible for staff with document-upload privileges or through integrations.

Detection Guidance

This vulnerability can be detected by identifying if your OpenEMR instance is running a version prior to 8.0.0.3 and if it allows uploading or sending CCDA documents that contain malicious linkHtml elements with JavaScript payloads.

A practical detection method involves crafting or scanning for CCDA XML documents containing linkHtml elements with href attributes starting with "javascript:" or event handler attributes (e.g., onmouseover). Monitoring document uploads or previews for such payloads can help detect exploitation attempts.

Commands to detect suspicious CCDA documents might include searching uploaded document storage for the presence of 'href="javascript:' or event handler attributes within XML files. For example, on a Linux system, you could use:

  • grep -r 'href="javascript:' /path/to/uploaded/documents
  • grep -r 'onmouseover' /path/to/uploaded/documents

Additionally, monitoring web server logs or application logs for unusual requests involving CCDA document previews or uploads may help detect attempts to exploit this vulnerability.

Mitigation Strategies

The immediate and most effective mitigation step is to upgrade OpenEMR to version 8.0.0.3 or later, where the vulnerability has been patched.

The patch modifies the XSLT template processing the linkHtml element to sanitize and validate the href attribute, allowing only http:// or https:// URLs and neutralizing unsafe links by replacing them with "#". It also adds security attributes to links to prevent tab-nabbing.

Until the upgrade can be applied, restrict or monitor the ability to upload or send CCDA documents, especially from untrusted users or integrations, to reduce the risk of malicious document uploads.

Implement additional security controls such as Content-Security-Policy headers to limit JavaScript execution and consider configuring session cookies as httpOnly to prevent JavaScript access.

Compliance Impact

This vulnerability allows an attacker to execute arbitrary JavaScript in a clinician's browser session by uploading or sending a malicious CCDA document. This can lead to session hijacking and unauthorized access to protected health information (PHI).

Unauthorized access to PHI due to this vulnerability could result in violations of regulations such as HIPAA, which mandates the protection of patient health information. Similarly, GDPR requires the protection of personal data, and exploitation of this vulnerability could lead to data breaches involving personal health data.

Therefore, the vulnerability poses a significant risk to compliance with standards and regulations that require safeguarding sensitive health information against unauthorized access and disclosure.

Chat Assistant
Ask questions about this CVE
Hi! I’m here to help you understand CVE-2026-33932. Ask me anything about the vulnerability, its impact, or mitigation strategies.
0/70
EPSS Chart