CVE-2026-33301
Published: 19 March 2026
Summary
CVE-2026-33301 is a high-severity Improper Encoding or Escaping of Output (CWE-116) vulnerability in Open-Emr Openemr. Its CVSS base score is 8.1 (High).
Operationally, exploitation aligns with the MITRE ATT&CK technique Data from Local System (T1005); ranked at the 10.6th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog; a public proof-of-concept is referenced.
The strongest mitigations our analysis identified are NIST 800-53 SI-15 (Information Output Filtering) and SI-2 (Flaw Remediation).
Threat & Defense at a Glance
Threat & Defense Details
Mitigating Controls (NIST 800-53 r5)AI
Requires filtering or encoding of form answers prior to PDF generation to prevent unescaped HTML from embedding arbitrary server image files.
Mandates timely remediation of the flaw fixed in OpenEMR 8.0.0.2 by upgrading vulnerable versions.
Validates Eye Exam form inputs to reject malicious HTML payloads that reference arbitrary server files.
MITRE ATT&CK Enterprise TechniquesAI
Why these techniques?
Arbitrary file read vulnerability directly enables collection of data from local system files (T1005) and facilitates file and directory discovery (T1083) by allowing embedding of arbitrary server files in generated PDFs.
NVD Description
OpenEMR is a free and open source electronic health records and medical practice management application. Prior to 8.0.0.2, users with the `Notes - my encounters` role can fill Eye Exam forms in patient encounters. The answers to the form can…
more
be printed out in PDF form. An arbitrary file read vulnerability was identified in the PDF creation function where the form answers are parsed as unescaped HTML, allowing an attacker to include arbitrary image files from the server in the generated PDF. Version 8.0.0.2 fixes the issue.
Deeper analysisAI
CVE-2026-33301 is an arbitrary file read vulnerability in OpenEMR, a free and open source electronic health records and medical practice management application. The issue affects versions prior to 8.0.0.2 and resides in the PDF creation function for Eye Exam forms within patient encounters. Specifically, form answers submitted by users are parsed as unescaped HTML, enabling the inclusion of arbitrary image files from the server in the generated PDF. The vulnerability is rated with a CVSS v3.1 base score of 8.1 (AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:N) and is associated with CWE-116 (Improper Encoding or Escaping of Output).
The vulnerability can be exploited by authenticated users holding the "Notes - my encounters" role, who have permission to fill Eye Exam forms in patient encounters. By injecting malicious HTML into form answers that references arbitrary image files on the server, an attacker can trigger the PDF generation process to embed sensitive file contents as images. This results in high confidentiality and integrity impacts, allowing unauthorized access to and exposure of server files through the downloadable PDF, without requiring user interaction beyond normal workflow.
Mitigation is addressed in OpenEMR version 8.0.0.2, which fixes the unescaped HTML parsing in the PDF creation function. Security practitioners should upgrade to this version immediately. Additional details are available in the GitHub security advisory (GHSA-v9v3-q973-xp2h) and the fixing commit (dccc962f06bdf6105ca85c277915167caf3e7c28).
Details
- CWE(s)