CVE-2026-33933
Received Received - Intake
Reflected XSS in OpenEMR Template Editor Enables JS Execution

Publication date: 2026-03-26

Last updated on: 2026-03-26

Assigner: GitHub, Inc.

Description
OpenEMR is a free and open source electronic health records and medical practice management application. Starting in version 7.0.2.1 and prior to version 8.0.0.3, a reflected cross-site scripting (XSS) vulnerability in the custom template editor allows an attacker to execute arbitrary JavaScript in an authenticated staff member's browser session by sending them a crafted URL. The attacker does not need an OpenEMR account. Version 8.0.0.3 patches the issue.
CVSS Scores
EPSS Scores
Probability:
Percentile:
Meta Information
Published
2026-03-26
Last Modified
2026-03-26
Generated
2026-06-16
AI Q&A
2026-03-26
EPSS Evaluated
2026-06-15
NVD
CVE-2026-33933
Affected Vendors & Products
Showing 1 associated CPE
Vendor Product Version / Range
open-emr openemr From 7.0.2.1 (inc) to 8.0.0.3 (exc)
Helpful Resources
Exploitability
CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-79 The product does not neutralize or incorrectly neutralizes user-controllable input before it is placed in output that is used as a web page that is served to other users.
Attack-Flow Graph
AI Quick Actions
Instant insights powered by AI
Executive Summary

CVE-2026-33933 is a reflected cross-site scripting (XSS) vulnerability in OpenEMR's custom template editor affecting versions prior to 8.0.0.3. The vulnerability occurs because the application improperly sanitizes the `contextName` GET parameter, which is directly embedded into an HTML heading without escaping. This allows an attacker to craft a malicious URL containing JavaScript code that executes in the browser of an authenticated staff member who clicks the link.

The attacker does not need an OpenEMR account to exploit this vulnerability. By sending a specially crafted URL to a staff member, the attacker can trigger arbitrary JavaScript execution in the victim's browser session.

Impact Analysis

This vulnerability can lead to several security impacts including theft of session data, manipulation of the Document Object Model (DOM), and unauthorized actions performed on behalf of the victim user. Since the attack executes arbitrary JavaScript in the context of an authenticated staff member's session, it can compromise confidentiality and integrity of the application data.

  • Attack Vector: Remote network exploitation by sending a crafted URL.
  • Privileges Required: None for the attacker; victim must be an authenticated staff member.
  • User Interaction: Required (victim must click the malicious link).
  • Confidentiality Impact: Low (possible session data theft).
  • Integrity Impact: Low (possible unauthorized actions).
  • Availability Impact: None.
Detection Guidance

This vulnerability can be detected by identifying if your OpenEMR installation is running a vulnerable version (starting from 7.0.2.1 up to 8.0.0.2) and by checking if the custom template editor is accessible.

A practical detection method is to test the vulnerable endpoint by sending a crafted URL that includes a malicious payload in the `contextName` GET parameter to see if the application reflects it without proper sanitization.

For example, you can use the following curl command to test the vulnerability (replace <openemr_url> with your OpenEMR base URL):

  • curl -i '<openemr_url>/library/custom_template/custom_template.php?ccFlag=id&type=description&contextName=<img src=x onerror=alert(document.domain)>'

If the response contains the injected `<img>` tag unescaped inside an `<h3>` element, the system is vulnerable.

Additionally, monitoring web server logs for suspicious requests containing script tags or unusual parameters targeting `custom_template.php` can help detect exploitation attempts.

Mitigation Strategies

The immediate and most effective mitigation step is to upgrade OpenEMR to version 8.0.0.3 or later, where this vulnerability has been patched.

If upgrading immediately is not possible, consider restricting access to the vulnerable `custom_template.php` endpoint to trusted users only, for example by using network-level controls or web application firewall (WAF) rules.

Educate staff to avoid clicking on suspicious or unsolicited URLs that could exploit this reflected XSS vulnerability.

Review and apply any relevant security advisories and patches provided by OpenEMR, as detailed in the official security advisory.

Compliance Impact

CVE-2026-33933 is a reflected cross-site scripting (XSS) vulnerability in OpenEMR that allows an attacker to execute arbitrary JavaScript in an authenticated staff member's browser session by sending a crafted URL. This can lead to theft of session data, DOM manipulation, and unauthorized actions performed as the victim.

Given that OpenEMR is an electronic health records and medical practice management application, this vulnerability could potentially impact compliance with regulations such as HIPAA and GDPR by exposing sensitive healthcare data through session hijacking or unauthorized actions.

The vulnerability allows an unauthenticated attacker to target clinical and healthcare staff, increasing the risk of unauthorized access to protected health information (PHI) or personal data, which are protected under these regulations.

Therefore, failure to patch this vulnerability could lead to violations of confidentiality and integrity requirements mandated by standards like HIPAA and GDPR, potentially resulting in regulatory non-compliance.

Chat Assistant
Ask questions about this CVE
Hi! I’m here to help you understand CVE-2026-33933. Ask me anything about the vulnerability, its impact, or mitigation strategies.
0/70
EPSS Chart