CVE-2026-33933
Reflected XSS in OpenEMR Template Editor Enables JS Execution
Publication date: 2026-03-26
Last updated on: 2026-03-26
Assigner: GitHub, Inc.
Description
Description
CVSS Scores
EPSS Scores
| Probability: | |
| Percentile: |
Meta Information
Affected Vendors & Products
| Vendor | Product | Version / Range |
|---|---|---|
| open-emr | openemr | From 7.0.2.1 (inc) to 8.0.0.3 (exc) |
Helpful Resources
Exploitability
| CWE ID | Description |
|---|---|
| CWE-79 | The product does not neutralize or incorrectly neutralizes user-controllable input before it is placed in output that is used as a web page that is served to other users. |
Attack-Flow Graph
AI Powered Q&A
How does this vulnerability affect compliance with common standards and regulations (like GDPR, HIPAA)?:
CVE-2026-33933 is a reflected cross-site scripting (XSS) vulnerability in OpenEMR that allows an attacker to execute arbitrary JavaScript in an authenticated staff member's browser session by sending a crafted URL. This can lead to theft of session data, DOM manipulation, and unauthorized actions performed as the victim.
Given that OpenEMR is an electronic health records and medical practice management application, this vulnerability could potentially impact compliance with regulations such as HIPAA and GDPR by exposing sensitive healthcare data through session hijacking or unauthorized actions.
The vulnerability allows an unauthenticated attacker to target clinical and healthcare staff, increasing the risk of unauthorized access to protected health information (PHI) or personal data, which are protected under these regulations.
Therefore, failure to patch this vulnerability could lead to violations of confidentiality and integrity requirements mandated by standards like HIPAA and GDPR, potentially resulting in regulatory non-compliance.
Can you explain this vulnerability to me?
CVE-2026-33933 is a reflected cross-site scripting (XSS) vulnerability in OpenEMR's custom template editor affecting versions prior to 8.0.0.3. The vulnerability occurs because the application improperly sanitizes the `contextName` GET parameter, which is directly embedded into an HTML heading without escaping. This allows an attacker to craft a malicious URL containing JavaScript code that executes in the browser of an authenticated staff member who clicks the link.
The attacker does not need an OpenEMR account to exploit this vulnerability. By sending a specially crafted URL to a staff member, the attacker can trigger arbitrary JavaScript execution in the victim's browser session.
How can this vulnerability impact me? :
This vulnerability can lead to several security impacts including theft of session data, manipulation of the Document Object Model (DOM), and unauthorized actions performed on behalf of the victim user. Since the attack executes arbitrary JavaScript in the context of an authenticated staff member's session, it can compromise confidentiality and integrity of the application data.
- Attack Vector: Remote network exploitation by sending a crafted URL.
- Privileges Required: None for the attacker; victim must be an authenticated staff member.
- User Interaction: Required (victim must click the malicious link).
- Confidentiality Impact: Low (possible session data theft).
- Integrity Impact: Low (possible unauthorized actions).
- Availability Impact: None.
How can this vulnerability be detected on my network or system? Can you suggest some commands?
This vulnerability can be detected by identifying if your OpenEMR installation is running a vulnerable version (starting from 7.0.2.1 up to 8.0.0.2) and by checking if the custom template editor is accessible.
A practical detection method is to test the vulnerable endpoint by sending a crafted URL that includes a malicious payload in the `contextName` GET parameter to see if the application reflects it without proper sanitization.
For example, you can use the following curl command to test the vulnerability (replace <openemr_url> with your OpenEMR base URL):
- curl -i '<openemr_url>/library/custom_template/custom_template.php?ccFlag=id&type=description&contextName=<img src=x onerror=alert(document.domain)>'
If the response contains the injected `<img>` tag unescaped inside an `<h3>` element, the system is vulnerable.
Additionally, monitoring web server logs for suspicious requests containing script tags or unusual parameters targeting `custom_template.php` can help detect exploitation attempts.
What immediate steps should I take to mitigate this vulnerability?
The immediate and most effective mitigation step is to upgrade OpenEMR to version 8.0.0.3 or later, where this vulnerability has been patched.
If upgrading immediately is not possible, consider restricting access to the vulnerable `custom_template.php` endpoint to trusted users only, for example by using network-level controls or web application firewall (WAF) rules.
Educate staff to avoid clicking on suspicious or unsolicited URLs that could exploit this reflected XSS vulnerability.
Review and apply any relevant security advisories and patches provided by OpenEMR, as detailed in the official security advisory.