{"dataType": "CVE_RECORD", "dataVersion": "5.2", "cveMetadata": {"cveId": "CVE-2026-33912", "assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "state": "PUBLISHED", "assignerShortName": "GitHub_M", "dateReserved": "2026-03-24T15:41:47.492Z", "datePublished": "2026-03-25T22:51:15.297Z", "dateUpdated": "2026-03-26T14:24:50.465Z"}, "containers": {"cna": {"title": "OpenEMR has reflected XSS in ajax_download.php via reportID parameter", "problemTypes": [{"descriptions": [{"cweId": "CWE-79", "lang": "en", "description": "CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')", "type": "CWE"}]}], "metrics": [{"cvssV3_1": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "NONE", "baseScore": 5.4, "baseSeverity": "MEDIUM", "confidentialityImpact": "LOW", "integrityImpact": "LOW", "privilegesRequired": "LOW", "scope": "CHANGED", "userInteraction": "REQUIRED", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N", "version": "3.1"}}], "references": [{"name": "https://github.com/openemr/openemr/security/advisories/GHSA-cpph-949w-w79v", "tags": ["x_refsource_CONFIRM"], "url": "https://github.com/openemr/openemr/security/advisories/GHSA-cpph-949w-w79v"}, {"name": "https://github.com/openemr/openemr/commit/24dd47c3e4936a6ddd064924d17b0273c6ac4b66", "tags": ["x_refsource_MISC"], "url": "https://github.com/openemr/openemr/commit/24dd47c3e4936a6ddd064924d17b0273c6ac4b66"}, {"name": "https://github.com/openemr/openemr/commit/ae2a9e5edb8c88b9b0dff5969fd3aa98225f047e", "tags": ["x_refsource_MISC"], "url": "https://github.com/openemr/openemr/commit/ae2a9e5edb8c88b9b0dff5969fd3aa98225f047e"}, {"name": "https://github.com/openemr/openemr/releases/tag/v8_0_0_3", "tags": ["x_refsource_MISC"], "url": "https://github.com/openemr/openemr/releases/tag/v8_0_0_3"}], "affected": [{"vendor": "openemr", "product": "openemr", "versions": [{"version": "< 8.0.0.3", "status": "affected"}]}], "providerMetadata": {"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "shortName": "GitHub_M", "dateUpdated": "2026-03-25T22:51:15.297Z"}, "descriptions": [{"lang": "en", "value": "OpenEMR is a free and open source electronic health records and medical practice management application. Prior to version 8.0.0.3, an authenticated attacker could craft a malicious form that, when submitted by a victim, executes arbitrary JavaScript in the victim's browser session. Version 8.0.0.3 patches the issue."}], "source": {"advisory": "GHSA-cpph-949w-w79v", "discovery": "UNKNOWN"}}, "adp": [{"metrics": [{"other": {"type": "ssvc", "content": {"timestamp": "2026-03-26T14:24:43.231842Z", "id": "CVE-2026-33912", "options": [{"Exploitation": "none"}, {"Automatable": "no"}, {"Technical Impact": "partial"}], "role": "CISA Coordinator", "version": "2.0.3"}}}], "title": "CISA ADP Vulnrichment", "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2026-03-26T14:24:50.465Z"}}]}}

{"dataType": "CVE_RECORD", "containers": {"cna": {"title": "OpenEMR has reflected XSS in ajax_download.php via reportID parameter", "source": {"advisory": "GHSA-cpph-949w-w79v", "discovery": "UNKNOWN"}, "metrics": [{"cvssV3_1": {"scope": "CHANGED", "version": "3.1", "baseScore": 5.4, "attackVector": "NETWORK", "baseSeverity": "MEDIUM", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N", "integrityImpact": "LOW", "userInteraction": "REQUIRED", "attackComplexity": "LOW", "availabilityImpact": "NONE", "privilegesRequired": "LOW", "confidentialityImpact": "LOW"}}], "affected": [{"vendor": "openemr", "product": "openemr", "versions": [{"status": "affected", "version": "< 8.0.0.3"}]}], "references": [{"url": "https://github.com/openemr/openemr/security/advisories/GHSA-cpph-949w-w79v", "name": "https://github.com/openemr/openemr/security/advisories/GHSA-cpph-949w-w79v", "tags": ["x_refsource_CONFIRM"]}, {"url": "https://github.com/openemr/openemr/commit/24dd47c3e4936a6ddd064924d17b0273c6ac4b66", "name": "https://github.com/openemr/openemr/commit/24dd47c3e4936a6ddd064924d17b0273c6ac4b66", "tags": ["x_refsource_MISC"]}, {"url": "https://github.com/openemr/openemr/commit/ae2a9e5edb8c88b9b0dff5969fd3aa98225f047e", "name": "https://github.com/openemr/openemr/commit/ae2a9e5edb8c88b9b0dff5969fd3aa98225f047e", "tags": ["x_refsource_MISC"]}, {"url": "https://github.com/openemr/openemr/releases/tag/v8_0_0_3", "name": "https://github.com/openemr/openemr/releases/tag/v8_0_0_3", "tags": ["x_refsource_MISC"]}], "descriptions": [{"lang": "en", "value": "OpenEMR is a free and open source electronic health records and medical practice management application. Prior to version 8.0.0.3, an authenticated attacker could craft a malicious form that, when submitted by a victim, executes arbitrary JavaScript in the victim's browser session. Version 8.0.0.3 patches the issue."}], "problemTypes": [{"descriptions": [{"lang": "en", "type": "CWE", "cweId": "CWE-79", "description": "CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')"}]}], "providerMetadata": {"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "shortName": "GitHub_M", "dateUpdated": "2026-03-25T22:51:15.297Z"}}, "adp": [{"title": "CISA ADP Vulnrichment", "metrics": [{"other": {"type": "ssvc", "content": {"id": "CVE-2026-33912", "role": "CISA Coordinator", "options": [{"Exploitation": "none"}, {"Automatable": "no"}, {"Technical Impact": "partial"}], "version": "2.0.3", "timestamp": "2026-03-26T14:24:43.231842Z"}}}], "providerMetadata": {"shortName": "CISA-ADP", "orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "dateUpdated": "2026-03-26T14:24:47.027Z"}}]}, "cveMetadata": {"cveId": "CVE-2026-33912", "state": "PUBLISHED", "dateUpdated": "2026-03-25T22:51:15.297Z", "dateReserved": "2026-03-24T15:41:47.492Z", "assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "datePublished": "2026-03-25T22:51:15.297Z", "assignerShortName": "GitHub_M"}, "dataVersion": "5.2"}

{"configurations": [{"nodes": [{"cpeMatch": [{"criteria": "cpe:2.3:a:open-emr:openemr:*:*:*:*:*:*:*:*", "matchCriteriaId": "E3E098AF-42A1-4798-85A7-80052F19F809", "versionEndExcluding": "8.0.0.3", "vulnerable": true}], "negate": false, "operator": "OR"}]}], "cveTags": [], "descriptions": [{"lang": "en", "value": "OpenEMR is a free and open source electronic health records and medical practice management application. Prior to version 8.0.0.3, an authenticated attacker could craft a malicious form that, when submitted by a victim, executes arbitrary JavaScript in the victim's browser session. Version 8.0.0.3 patches the issue."}], "id": "CVE-2026-33912", "lastModified": "2026-03-26T16:24:01.077", "metrics": {"cvssMetricV31": [{"cvssData": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "NONE", "baseScore": 5.4, "baseSeverity": "MEDIUM", "confidentialityImpact": "LOW", "integrityImpact": "LOW", "privilegesRequired": "LOW", "scope": "CHANGED", "userInteraction": "REQUIRED", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N", "version": "3.1"}, "exploitabilityScore": 2.3, "impactScore": 2.7, "source": "security-advisories@github.com", "type": "Secondary"}]}, "published": "2026-03-25T23:17:10.497", "references": [{"source": "security-advisories@github.com", "tags": ["Patch"], "url": "https://github.com/openemr/openemr/commit/24dd47c3e4936a6ddd064924d17b0273c6ac4b66"}, {"source": "security-advisories@github.com", "tags": ["Patch"], "url": "https://github.com/openemr/openemr/commit/ae2a9e5edb8c88b9b0dff5969fd3aa98225f047e"}, {"source": "security-advisories@github.com", "tags": ["Product"], "url": "https://github.com/openemr/openemr/releases/tag/v8_0_0_3"}, {"source": "security-advisories@github.com", "tags": ["Vendor Advisory"], "url": "https://github.com/openemr/openemr/security/advisories/GHSA-cpph-949w-w79v"}], "sourceIdentifier": "security-advisories@github.com", "vulnStatus": "Analyzed", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-79"}], "source": "security-advisories@github.com", "type": "Primary"}]}

{}

{"affected": [{"configurations": [{"platform": null, "status": "affected", "versions": {"scheme": "generic", "value": "[0,8.0.0.3)"}}], "enrichment": {"confidence": 100.0, "confidence_source": "matching", "scores": [{"score": 100.0, "source": "matching"}]}, "original": {"product": "openemr", "source": "cna", "vendor": "openemr"}, "product": "openemr", "vendor": "openemr"}], "analysis": {"en": {"generated_at": "2026-03-26T00:54:39.961523+00:00", "value": {"mitigation_remediation": ["Upgrade OpenEMR to version 8.0.0.3 or newer"], "summary": {"action": "Immediate Patch", "impact": "Cross\u2011site scripting in victim browsers via a reflected JavaScript payload"}, "threat_synthesis": {"affected_systems": "The affected product is OpenEMR, a free and open\u2011source electronic health record and medical practice management application. All releases prior to version 8.0.0.3 are vulnerable. The vulnerability is fixed in OpenEMR release 8.0.0.3 and later versions.", "description_and_impact": "OpenEMR versions before 8.0.0.3 allow an attacker who can independently submit a malicious form to the ajax_download.php endpoint to cause the victim to receive and execute arbitrary JavaScript. The vulnerability is a classic reflected XSS that can enable session hijacking, defacement, or theft of data from the victim\u2019s browser during a legitimate session. The impact is limited to actions performed in the victim's browser context, but it can enable a broad range of client\u2011side attacks within the authenticated user\u2019s session.", "risk_and_exploitability": "The CVSS score of 5.4 indicates a moderate severity, largely owing to the requirement that an attacker must compromise a victim\u2019s browser session; the exploit is not remote code execution on the server. No EPSS data is available and the vulnerability is not listed in CISA\u2019s KEV catalog. Attackers can achieve the vulnerability through a crafted form that the victim submits to the server, implying the likelihood of exploitation depends on the presence of an authenticated user who can be coerced into submitting the form. While risk is moderate, the absence of server\u2011side mitigations makes prompt patching advisable."}}}}, "created": "2026-03-26T11:31:15.958088+00:00", "updated": "2026-03-26T12:09:19.033380+00:00", "vendors": ["openemr", "openemr$PRODUCT$openemr"]}