{"dataType": "CVE_RECORD", "dataVersion": "5.2", "cveMetadata": {"cveId": "CVE-2026-33932", "assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "state": "PUBLISHED", "assignerShortName": "GitHub_M", "dateReserved": "2026-03-24T19:50:52.103Z", "datePublished": "2026-03-25T23:37:58.427Z", "dateUpdated": "2026-03-25T23:37:58.427Z"}, "containers": {"cna": {"title": "OpenEMR has Stored XSS in CCDA Preview via Unsanitized linkHtml Attributes", "problemTypes": [{"descriptions": [{"cweId": "CWE-79", "lang": "en", "description": "CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')", "type": "CWE"}]}], "metrics": [{"cvssV3_1": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "NONE", "baseScore": 7.6, "baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "integrityImpact": "LOW", "privilegesRequired": "LOW", "scope": "CHANGED", "userInteraction": "REQUIRED", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:H/I:L/A:N", "version": "3.1"}}], "references": [{"name": "https://github.com/openemr/openemr/security/advisories/GHSA-g77x-9p3x-2j8f", "tags": ["x_refsource_CONFIRM"], "url": "https://github.com/openemr/openemr/security/advisories/GHSA-g77x-9p3x-2j8f"}, {"name": "https://github.com/openemr/openemr/commit/95e6078889b5399b12b59117f998560cd94bd47d", "tags": ["x_refsource_MISC"], "url": "https://github.com/openemr/openemr/commit/95e6078889b5399b12b59117f998560cd94bd47d"}, {"name": "https://github.com/openemr/openemr/releases/tag/v8_0_0_3", "tags": ["x_refsource_MISC"], "url": "https://github.com/openemr/openemr/releases/tag/v8_0_0_3"}], "affected": [{"vendor": "openemr", "product": "openemr", "versions": [{"version": "< 8.0.0.3", "status": "affected"}]}], "providerMetadata": {"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "shortName": "GitHub_M", "dateUpdated": "2026-03-25T23:37:58.427Z"}, "descriptions": [{"lang": "en", "value": "OpenEMR is a free and open source electronic health records and medical practice management application. Prior to version 8.0.0.3, a stored cross-site scripting vulnerability in the CCDA document preview allows an attacker who can upload or send a CCDA document to execute arbitrary JavaScript in a clinician's browser session when the document is previewed. The XSL stylesheet sanitizes attributes for all other narrative elements but not for `linkHtml`, allowing `href=\"javascript:...\"` and event handler attributes to pass through unchanged. Version 8.0.0.3 patches the issue."}], "source": {"advisory": "GHSA-g77x-9p3x-2j8f", "discovery": "UNKNOWN"}}}}

{}

{"configurations": [{"nodes": [{"cpeMatch": [{"criteria": "cpe:2.3:a:open-emr:openemr:*:*:*:*:*:*:*:*", "matchCriteriaId": "E3E098AF-42A1-4798-85A7-80052F19F809", "versionEndExcluding": "8.0.0.3", "vulnerable": true}], "negate": false, "operator": "OR"}]}], "cveTags": [], "descriptions": [{"lang": "en", "value": "OpenEMR is a free and open source electronic health records and medical practice management application. Prior to version 8.0.0.3, a stored cross-site scripting vulnerability in the CCDA document preview allows an attacker who can upload or send a CCDA document to execute arbitrary JavaScript in a clinician's browser session when the document is previewed. The XSL stylesheet sanitizes attributes for all other narrative elements but not for `linkHtml`, allowing `href=\"javascript:...\"` and event handler attributes to pass through unchanged. Version 8.0.0.3 patches the issue."}], "id": "CVE-2026-33932", "lastModified": "2026-03-26T16:27:53.530", "metrics": {"cvssMetricV31": [{"cvssData": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "NONE", "baseScore": 7.6, "baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "integrityImpact": "LOW", "privilegesRequired": "LOW", "scope": "CHANGED", "userInteraction": "REQUIRED", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:H/I:L/A:N", "version": "3.1"}, "exploitabilityScore": 2.3, "impactScore": 4.7, "source": "security-advisories@github.com", "type": "Secondary"}, {"cvssData": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "NONE", "baseScore": 5.4, "baseSeverity": "MEDIUM", "confidentialityImpact": "LOW", "integrityImpact": "LOW", "privilegesRequired": "LOW", "scope": "CHANGED", "userInteraction": "REQUIRED", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N", "version": "3.1"}, "exploitabilityScore": 2.3, "impactScore": 2.7, "source": "nvd@nist.gov", "type": "Primary"}]}, "published": "2026-03-26T00:16:39.953", "references": [{"source": "security-advisories@github.com", "tags": ["Patch"], "url": "https://github.com/openemr/openemr/commit/95e6078889b5399b12b59117f998560cd94bd47d"}, {"source": "security-advisories@github.com", "tags": ["Product"], "url": "https://github.com/openemr/openemr/releases/tag/v8_0_0_3"}, {"source": "security-advisories@github.com", "tags": ["Vendor Advisory"], "url": "https://github.com/openemr/openemr/security/advisories/GHSA-g77x-9p3x-2j8f"}], "sourceIdentifier": "security-advisories@github.com", "vulnStatus": "Analyzed", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-79"}], "source": "security-advisories@github.com", "type": "Primary"}]}

{}

{"affected": [{"configurations": [{"platform": null, "status": "affected", "versions": {"scheme": "generic", "value": "[0,8.0.0.3)"}}], "enrichment": {"confidence": 100.0, "confidence_source": "matching", "scores": [{"score": 100.0, "source": "matching"}]}, "original": {"product": "openemr", "source": "cna", "vendor": "openemr"}, "product": "openemr", "vendor": "openemr"}], "analysis": {"en": {"generated_at": "2026-03-26T03:15:28.863696+00:00", "value": {"mitigation_remediation": ["Upgrade OpenEMR to version 8.0.0.3 or later to apply the vendor patch that sanitizes linkHtml attributes.", "If an upgrade is delayed, restrict CCDA upload capability to trusted sources and manually review or sanitize filenames before storing.", "Disable or remove the CCDA preview feature for all users until a secure patch is applied.", "Monitor the system for unauthorized CCDA uploads or attempts to trigger JavaScript code in the preview interface."], "summary": {"action": "Immediate Patch", "impact": "Stored cross\u2011site scripting allowing arbitrary JavaScript execution in clinicians\u2019 browsers"}, "threat_synthesis": {"affected_systems": "The issue affects installations of OpenEMR before version 8.0.0.3. The product is the free and open\u2011source electronic health records system provided by OpenEMR. Patch advice is available for version 8.0.0.3, which removes the unsanitized attribute handling in the CCDA preview module.", "description_and_impact": "A stored cross\u2011site scripting flaw exists in OpenEMR\u2019s CCDA document preview when the linkHtml element is not sanitized. The vulnerability permits an attacker who can upload or send a CCDA file to embed a malicious href such as \"javascript:\" or event handlers that execute without user interaction. The injected code runs in the context of the clinician\u2019s browser session, potentially hijacking the session, exfiltrating patient data, or delivering further attacks. The weakness is a classic input\u2011validation error described by CWE\u201179.", "risk_and_exploitability": "The CVSS score of 7.6 indicates high severity. The EPSS score is not provided, and the vulnerability is not listed in CISA\u2019s KEV catalog. An attacker can exploit the flaw by simply uploading a crafted CCDA file and then having a target clinician preview the file. Once the preview page loads, the embedded JavaScript executes with the clinician\u2019s browser privileges. Due to the lack of an explicit access control check in the preview functionality, the risk is real and potentially widespread in environments that use this feature without additional safeguards."}}}}, "created": "2026-03-26T11:31:07.644689+00:00", "updated": "2026-03-26T12:09:10.151818+00:00", "vendors": ["openemr", "openemr$PRODUCT$openemr"]}