CVE-2026-33346

HighPublic PoC

Published: 19 March 2026

Published

19 March 2026

Modified

20 March 2026

KEV Added

—

Patch

—

CVSS Score 8.7 CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:H/I:H/A:N

EPSS Score 0.0003 8.5th percentile

Risk Priority 17 60% EPSS · 20% KEV · 20% CVSS

Summary

CVE-2026-33346 is a high-severity Cross-site Scripting (CWE-79) vulnerability in Open-Emr Openemr. Its CVSS base score is 8.7 (High).

Operationally, exploitation aligns with the MITRE ATT&CK technique Exploit Public-Facing Application (T1190); ranked at the 8.5th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog; a public proof-of-concept is referenced.

The strongest mitigations our analysis identified are NIST 800-53 SI-10 (Information Input Validation) and SI-15 (Information Output Filtering).

Threat & Defense at a Glance

What attackers do: exploitation maps to Exploit Public-Facing Application (T1190) and 3 other techniques. What defenders deploy: see the NIST 800-53 controls recommended below.

Threat & Defense Details

Mitigating Controls (NIST 800-53 r5)AI

SI-15 Information Output Filtering good match

prevent

Directly addresses the core issue by requiring output filtering to prevent rendering of unescaped JavaScript payloads in portal_payment.php.

SI-10 Information Input Validation good match

prevent

Enforces validation of patient-submitted payment data in paylib.php to block injection of arbitrary JavaScript before storage.

SI-2 Flaw Remediation good match

prevent

Mandates timely flaw remediation, such as applying the OpenEMR 8.0.0.2 patch that fixes the stored XSS vulnerability.

MITRE ATT&CK Enterprise TechniquesAI

T1190 Exploit Public-Facing Application Initial Access

Adversaries may attempt to exploit a weakness in an Internet-facing host or system to initially access a network.

attack.mitre.org →

T1059.007 JavaScript Execution

Adversaries may abuse various implementations of JavaScript for execution.

attack.mitre.org →

T1185 Browser Session Hijacking Collection

Adversaries may take advantage of security vulnerabilities and inherent functionality in browser software to change content, modify user-behaviors, and intercept information as part of various browser session hijacking techniques.

attack.mitre.org →

T1056.003 Web Portal Capture Collection

Adversaries may install code on externally facing portals, such as a VPN login page, to capture and transmit credentials of users who attempt to log into the service.

attack.mitre.org →

Why these techniques?

Stored XSS in public-facing patient portal directly enables exploitation of the web app (T1190), arbitrary JavaScript execution in victim browsers (T1059.007), browser session hijacking via stolen tokens or actions (T1185), and web portal input/credential capture from staff sessions (T1056.003).

Confidence: HIGH · MITRE ATT&CK Enterprise v18.1

NVD Description

OpenEMR is a free and open source electronic health records and medical practice management application. Prior to 8.0.0.2, a stored cross-site scripting (XSS) vulnerability in the patient portal payment flow allows a patient portal user to persist arbitrary JavaScript that…

executes in the browser of a staff member who reviews the payment submission. The payload is stored via `portal/lib/paylib.php` and rendered without escaping in `portal/portal_payment.php`. Version 8.0.0.2 fixes the issue.

Deeper analysisAI

CVE-2026-33346 is a stored cross-site scripting (XSS) vulnerability, classified under CWE-79, affecting OpenEMR, a free and open source electronic health records and medical practice management application. Versions prior to 8.0.0.2 are vulnerable in the patient portal payment flow, where arbitrary JavaScript payloads submitted by users are stored via portal/lib/paylib.php and rendered without proper escaping in portal/portal_payment.php. The issue carries a CVSS v3.1 base score of 8.7 (AV:N/AC:L/PR:L/UI:R/S:C/C:H/I:H/A:N), indicating high severity due to its potential for significant confidentiality and integrity impacts.

An authenticated patient portal user with low privileges (PR:L) can exploit this vulnerability over the network (AV:N) by injecting malicious JavaScript during payment submission. The payload persists in storage and executes in the browser of a staff member (UI:R) who later reviews the payment details in portal/portal_payment.php, with low attack complexity (AC:L). Successful exploitation enables theft of sensitive data or manipulation of staff actions in the victim's session, achieving high confidentiality and integrity impacts (C:H/I:H) across a changed scope (S:C) without affecting availability.

OpenEMR version 8.0.0.2 addresses the vulnerability through a fix detailed in the commit at https://github.com/openemr/openemr/commit/6e9e1566d6e271a6d839614674b887e3a73d7da1. Additional mitigation guidance is available in the GitHub Security Advisory at https://github.com/openemr/openemr/security/advisories/GHSA-qvf6-6xc6-9qv7. Security practitioners should prioritize upgrading affected instances and reviewing patient portal configurations for exposure.

Details

CWE(s): CWE-79

Affected Products

open-emr

openemr

≤ 8.0.0.2

CVEs Like This One

CVE-2026-33932Same product: Open-Emr Openemr

CVE-2026-33348Same product: Open-Emr Openemr

CVE-2026-32121Same product: Open-Emr Openemr

CVE-2026-32118Same product: Open-Emr Openemr

CVE-2025-69231Same product: Open-Emr Openemr

CVE-2026-25164Same product: Open-Emr Openemr

CVE-2026-33914Same product: Open-Emr Openemr

CVE-2026-25146Same product: Open-Emr Openemr

CVE-2025-29789Same product: Open-Emr Openemr

CVE-2026-24848Same product: Open-Emr Openemr

References

https://github.com/openemr/openemr/commit/6e9e1566d6e271a6d839614674b887e3a73d7da1
Patch · security-advisories@github.com
https://github.com/openemr/openemr/security/advisories/GHSA-qvf6-6xc6-9qv7
Exploit, Vendor Advisory · security-advisories@github.com
https://github.com/openemr/openemr/security/advisories/GHSA-qvf6-6xc6-9qv7
Exploit, Vendor Advisory · 134c704f-9b21-4f2e-91b3-4a467353bcc0