{"dataType": "CVE_RECORD", "dataVersion": "5.2", "cveMetadata": {"cveId": "CVE-2026-33348", "assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "state": "PUBLISHED", "assignerShortName": "GitHub_M", "dateReserved": "2026-03-18T22:15:11.814Z", "datePublished": "2026-03-25T22:30:37.489Z", "dateUpdated": "2026-03-26T15:00:29.982Z"}, "containers": {"cna": {"title": "OpenEMR has Stored XSS in patient encounter Eye Exam form $CHRONIC2 and $CHRONIC3", "problemTypes": [{"descriptions": [{"cweId": "CWE-79", "lang": "en", "description": "CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')", "type": "CWE"}]}], "metrics": [{"cvssV3_1": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "NONE", "baseScore": 8.7, "baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "LOW", "scope": "CHANGED", "userInteraction": "REQUIRED", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:H/I:H/A:N", "version": "3.1"}}], "references": [{"name": "https://github.com/openemr/openemr/security/advisories/GHSA-6ch2-p26g-x33h", "tags": ["x_refsource_CONFIRM"], "url": "https://github.com/openemr/openemr/security/advisories/GHSA-6ch2-p26g-x33h"}, {"name": "https://github.com/openemr/openemr/commit/f488efbe3eb7f17d0f057f960020cb611149f8a2", "tags": ["x_refsource_MISC"], "url": "https://github.com/openemr/openemr/commit/f488efbe3eb7f17d0f057f960020cb611149f8a2"}, {"name": "https://github.com/openemr/openemr/releases/tag/v8_0_0_3", "tags": ["x_refsource_MISC"], "url": "https://github.com/openemr/openemr/releases/tag/v8_0_0_3"}], "affected": [{"vendor": "openemr", "product": "openemr", "versions": [{"version": "< 8.0.0.3", "status": "affected"}]}], "providerMetadata": {"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "shortName": "GitHub_M", "dateUpdated": "2026-03-25T22:41:25.855Z"}, "descriptions": [{"lang": "en", "value": "OpenEMR is a free and open source electronic health records and medical practice management application. Users with the\u00a0`Notes - my encounters`\u00a0role can fill\u00a0Eye Exam\u00a0forms in patient encounters. The answers to the form are displayed on the encounter page and in the visit history for the users with the same role. Versions prior to 8.0.0.3 have a stored cross-site scripting (XSS) vulnerability in the function to display the form answers, allowing any authenticated attacker with the specific role to insert arbitrary JavaScript into the system by entering malicious payloads to the form answers. The JavaScript code is later executed by any user with the form role when viewing the form answers in the patient encounter pages or visit history. Version 8.0.0.3 contains a patch."}], "source": {"advisory": "GHSA-6ch2-p26g-x33h", "discovery": "UNKNOWN"}}, "adp": [{"references": [{"url": "https://github.com/openemr/openemr/security/advisories/GHSA-6ch2-p26g-x33h", "tags": ["exploit"]}], "metrics": [{"other": {"type": "ssvc", "content": {"timestamp": "2026-03-26T15:00:17.198465Z", "id": "CVE-2026-33348", "options": [{"Exploitation": "poc"}, {"Automatable": "no"}, {"Technical Impact": "total"}], "role": "CISA Coordinator", "version": "2.0.3"}}}], "title": "CISA ADP Vulnrichment", "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2026-03-26T15:00:29.982Z"}}]}}

{"dataType": "CVE_RECORD", "containers": {"adp": [{"title": "CISA ADP Vulnrichment", "metrics": [{"other": {"type": "ssvc", "content": {"id": "CVE-2026-33348", "role": "CISA Coordinator", "options": [{"Exploitation": "poc"}, {"Automatable": "no"}, {"Technical Impact": "total"}], "version": "2.0.3", "timestamp": "2026-03-26T15:00:17.198465Z"}}}], "references": [{"url": "https://github.com/openemr/openemr/security/advisories/GHSA-6ch2-p26g-x33h", "tags": ["exploit"]}], "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2026-03-26T15:00:26.387Z"}}], "cna": {"title": "OpenEMR has Stored XSS in patient encounter Eye Exam form $CHRONIC2 and $CHRONIC3", "source": {"advisory": "GHSA-6ch2-p26g-x33h", "discovery": "UNKNOWN"}, "metrics": [{"cvssV3_1": {"scope": "CHANGED", "version": "3.1", "baseScore": 8.7, "attackVector": "NETWORK", "baseSeverity": "HIGH", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:H/I:H/A:N", "integrityImpact": "HIGH", "userInteraction": "REQUIRED", "attackComplexity": "LOW", "availabilityImpact": "NONE", "privilegesRequired": "LOW", "confidentialityImpact": "HIGH"}}], "affected": [{"vendor": "openemr", "product": "openemr", "versions": [{"status": "affected", "version": "< 8.0.0.3"}]}], "references": [{"url": "https://github.com/openemr/openemr/security/advisories/GHSA-6ch2-p26g-x33h", "name": "https://github.com/openemr/openemr/security/advisories/GHSA-6ch2-p26g-x33h", "tags": ["x_refsource_CONFIRM"]}, {"url": "https://github.com/openemr/openemr/commit/f488efbe3eb7f17d0f057f960020cb611149f8a2", "name": "https://github.com/openemr/openemr/commit/f488efbe3eb7f17d0f057f960020cb611149f8a2", "tags": ["x_refsource_MISC"]}, {"url": "https://github.com/openemr/openemr/releases/tag/v8_0_0_3", "name": "https://github.com/openemr/openemr/releases/tag/v8_0_0_3", "tags": ["x_refsource_MISC"]}], "descriptions": [{"lang": "en", "value": "OpenEMR is a free and open source electronic health records and medical practice management application. Users with the\u00a0`Notes - my encounters`\u00a0role can fill\u00a0Eye Exam\u00a0forms in patient encounters. The answers to the form are displayed on the encounter page and in the visit history for the users with the same role. Versions prior to 8.0.0.3 have a stored cross-site scripting (XSS) vulnerability in the function to display the form answers, allowing any authenticated attacker with the specific role to insert arbitrary JavaScript into the system by entering malicious payloads to the form answers. The JavaScript code is later executed by any user with the form role when viewing the form answers in the patient encounter pages or visit history. Version 8.0.0.3 contains a patch."}], "problemTypes": [{"descriptions": [{"lang": "en", "type": "CWE", "cweId": "CWE-79", "description": "CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')"}]}], "providerMetadata": {"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "shortName": "GitHub_M", "dateUpdated": "2026-03-25T22:41:25.855Z"}}}, "cveMetadata": {"cveId": "CVE-2026-33348", "state": "PUBLISHED", "dateUpdated": "2026-03-26T15:00:29.982Z", "dateReserved": "2026-03-18T22:15:11.814Z", "assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "datePublished": "2026-03-25T22:30:37.489Z", "assignerShortName": "GitHub_M"}, "dataVersion": "5.2"}

{"cveTags": [], "descriptions": [{"lang": "en", "value": "OpenEMR is a free and open source electronic health records and medical practice management application. Users with the\u00a0`Notes - my encounters`\u00a0role can fill\u00a0Eye Exam\u00a0forms in patient encounters. The answers to the form are displayed on the encounter page and in the visit history for the users with the same role. Versions prior to 8.0.0.3 have a stored cross-site scripting (XSS) vulnerability in the function to display the form answers, allowing any authenticated attacker with the specific role to insert arbitrary JavaScript into the system by entering malicious payloads to the form answers. The JavaScript code is later executed by any user with the form role when viewing the form answers in the patient encounter pages or visit history. Version 8.0.0.3 contains a patch."}], "id": "CVE-2026-33348", "lastModified": "2026-03-26T15:16:38.267", "metrics": {"cvssMetricV31": [{"cvssData": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "NONE", "baseScore": 8.7, "baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "LOW", "scope": "CHANGED", "userInteraction": "REQUIRED", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:H/I:H/A:N", "version": "3.1"}, "exploitabilityScore": 2.3, "impactScore": 5.8, "source": "security-advisories@github.com", "type": "Secondary"}]}, "published": "2026-03-25T23:17:09.840", "references": [{"source": "security-advisories@github.com", "url": "https://github.com/openemr/openemr/commit/f488efbe3eb7f17d0f057f960020cb611149f8a2"}, {"source": "security-advisories@github.com", "url": "https://github.com/openemr/openemr/releases/tag/v8_0_0_3"}, {"source": "security-advisories@github.com", "url": "https://github.com/openemr/openemr/security/advisories/GHSA-6ch2-p26g-x33h"}, {"source": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "url": "https://github.com/openemr/openemr/security/advisories/GHSA-6ch2-p26g-x33h"}], "sourceIdentifier": "security-advisories@github.com", "vulnStatus": "Undergoing Analysis", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-79"}], "source": "security-advisories@github.com", "type": "Secondary"}]}

{}

{"affected": [{"configurations": [{"platform": null, "status": "affected", "versions": {"scheme": "generic", "value": "[0,8.0.0.3)"}}], "enrichment": {"confidence": 100.0, "confidence_source": "matching", "scores": [{"score": 100.0, "source": "matching"}]}, "original": {"product": "openemr", "source": "cna", "vendor": "openemr"}, "product": "openemr", "vendor": "openemr"}], "analysis": {"en": {"generated_at": "2026-03-26T01:57:26.609825+00:00", "value": {"mitigation_remediation": ["Apply OpenEMR 8.0.0.3 update or later to remove the flaw", "If an update cannot be applied immediately, restrict the \"Notes - my encounters\" role to trusted users only", "Deploy a temporary content\u2011security policy that blocks inline JavaScript on encounter pages", "Monitor access logs for anomalous form submissions that may indicate exploitation attempts"], "summary": {"action": "Immediate Patch", "impact": "Stored cross\u2011site scripting"}, "threat_synthesis": {"affected_systems": "OpenEMR version 8.0.0.3 and later are patched. All releases prior to 8.0.0.3 are vulnerable. The flaw can only be exploited by users who possess the \"Notes - my encounters\" role; users with other roles cannot submit data that causes the vulnerability to trigger.", "description_and_impact": "The vulnerability allows an authenticated user who has the \"Notes - my encounters\" role to insert arbitrary JavaScript into the answers of the Eye Exam form. The stored code is rendered later when any user with the same role views the encounter page or visit history, resulting in execution of the attacker\u2019s script within the victim\u2019s browser. This is a classic stored XSS flaw classified as CWE\u201179.", "risk_and_exploitability": "The CVSS score of 8.7 indicates a high severity rating. The EPSS score is not provided, so the precise exploit likelihood is unknown. The vulnerability is not listed in the CISA KEV catalog. Exploitation requires credentials and the specific role, making it a credential\u2011based attack. Based on the description, it is inferred that the executed scripts could potentially enable session hijacking, unauthorized data access, or other client\u2011side attacks when viewed by the intended role users."}}}}, "created": "2026-03-26T11:31:20.652778+00:00", "updated": "2026-03-26T12:09:23.930978+00:00", "vendors": ["openemr", "openemr$PRODUCT$openemr"]}