CVE-2026-33932
Stored XSS in OpenEMR CCDA Preview Enables Arbitrary Script Execution
Publication date: 2026-03-26
Last updated on: 2026-03-26
Assigner: GitHub, Inc.
Description
Description
CVSS Scores
EPSS Scores
| Probability: | |
| Percentile: |
Meta Information
Affected Vendors & Products
| Vendor | Product | Version / Range |
|---|---|---|
| open-emr | openemr | to 8.0.0.3 (exc) |
Helpful Resources
Exploitability
| CWE ID | Description |
|---|---|
| CWE-79 | The product does not neutralize or incorrectly neutralizes user-controllable input before it is placed in output that is used as a web page that is served to other users. |
Attack-Flow Graph
AI Powered Q&A
Can you explain this vulnerability to me?
CVE-2026-33932 is a stored cross-site scripting (XSS) vulnerability in OpenEMR's CCDA document preview feature affecting versions prior to 8.0.0.3.
The vulnerability occurs because the XSL stylesheet used to render CCDA documents sanitizes attributes for most narrative elements but does not sanitize attributes in the linkHtml element.
Specifically, the linkHtml template copies all attributes verbatim, allowing malicious href attributes like "javascript:" URIs and event handler attributes to pass through unsanitized.
An attacker who can upload or send a CCDA document can embed malicious JavaScript in a linkHtml element. When a clinician previews the document, the JavaScript executes in their browser session.
This enables execution of arbitrary JavaScript, potentially leading to session hijacking, unauthorized access to protected health information, and privilege escalation.
How can this vulnerability impact me? :
This vulnerability can have serious impacts including:
- Execution of arbitrary JavaScript in a clinician's browser session.
- Hijacking of user sessions by accessing session cookies, which are not protected by httpOnly flags.
- Unauthorized access to protected health information (PHI).
- Privilege escalation within the OpenEMR system.
The vulnerability requires an attacker to have the ability to upload or send a CCDA document, which could be possible for staff with document-upload privileges or through integrations.
How can this vulnerability be detected on my network or system? Can you suggest some commands?
This vulnerability can be detected by identifying if your OpenEMR instance is running a version prior to 8.0.0.3 and if it allows uploading or sending CCDA documents that contain malicious linkHtml elements with JavaScript payloads.
A practical detection method involves crafting or scanning for CCDA XML documents containing linkHtml elements with href attributes starting with "javascript:" or event handler attributes (e.g., onmouseover). Monitoring document uploads or previews for such payloads can help detect exploitation attempts.
Commands to detect suspicious CCDA documents might include searching uploaded document storage for the presence of 'href="javascript:' or event handler attributes within XML files. For example, on a Linux system, you could use:
- grep -r 'href="javascript:' /path/to/uploaded/documents
- grep -r 'onmouseover' /path/to/uploaded/documents
Additionally, monitoring web server logs or application logs for unusual requests involving CCDA document previews or uploads may help detect attempts to exploit this vulnerability.
What immediate steps should I take to mitigate this vulnerability?
The immediate and most effective mitigation step is to upgrade OpenEMR to version 8.0.0.3 or later, where the vulnerability has been patched.
The patch modifies the XSLT template processing the linkHtml element to sanitize and validate the href attribute, allowing only http:// or https:// URLs and neutralizing unsafe links by replacing them with "#". It also adds security attributes to links to prevent tab-nabbing.
Until the upgrade can be applied, restrict or monitor the ability to upload or send CCDA documents, especially from untrusted users or integrations, to reduce the risk of malicious document uploads.
Implement additional security controls such as Content-Security-Policy headers to limit JavaScript execution and consider configuring session cookies as httpOnly to prevent JavaScript access.
How does this vulnerability affect compliance with common standards and regulations (like GDPR, HIPAA)?:
This vulnerability allows an attacker to execute arbitrary JavaScript in a clinician's browser session by uploading or sending a malicious CCDA document. This can lead to session hijacking and unauthorized access to protected health information (PHI).
Unauthorized access to PHI due to this vulnerability could result in violations of regulations such as HIPAA, which mandates the protection of patient health information. Similarly, GDPR requires the protection of personal data, and exploitation of this vulnerability could lead to data breaches involving personal health data.
Therefore, the vulnerability poses a significant risk to compliance with standards and regulations that require safeguarding sensitive health information against unauthorized access and disclosure.