Cyber Posture

CVE-2026-33348

HighPublic PoC

Published: 25 March 2026

Published
25 March 2026
Modified
26 March 2026
KEV Added
Patch
CVSS Score 8.7 CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:H/I:H/A:N
EPSS Score 0.0003 8.3th percentile
Risk Priority 17 60% EPSS · 20% KEV · 20% CVSS

Summary

CVE-2026-33348 is a high-severity Cross-site Scripting (CWE-79) vulnerability in Open-Emr Openemr. Its CVSS base score is 8.7 (High).

Operationally, exploitation aligns with the MITRE ATT&CK technique Exploit Public-Facing Application (T1190); ranked at the 8.3th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog; a public proof-of-concept is referenced.

The strongest mitigations our analysis identified are NIST 800-53 SI-10 (Information Input Validation) and SI-15 (Information Output Filtering).

Threat & Defense at a Glance

What attackers do: exploitation maps to Exploit Public-Facing Application (T1190) and 2 other techniques. What defenders deploy: see the NIST 800-53 controls recommended below.
Threat & Defense Details

Mitigating Controls (NIST 800-53 r5)AI

SI-2 Flaw Remediation good match
prevent

Directly addresses the vulnerability by requiring identification, reporting, and correction of the specific stored XSS flaw via patching to version 8.0.0.3.

SI-10 Information Input Validation good match
prevent

Mandates validation of Eye Exam form inputs to reject malicious JavaScript payloads before storage, preventing injection by authenticated users with the 'Notes - my encounters' role.

SI-15 Information Output Filtering good match
prevent

Requires filtering of form answers prior to display on encounter pages and visit history, blocking execution of injected scripts in viewers' browsers.

MITRE ATT&CK Enterprise TechniquesAI

T1190 Exploit Public-Facing Application Initial Access
Adversaries may attempt to exploit a weakness in an Internet-facing host or system to initially access a network.
attack.mitre.org →
T1059.007 JavaScript Execution
Adversaries may abuse various implementations of JavaScript for execution.
attack.mitre.org →
T1539 Steal Web Session Cookie Credential Access
An adversary may steal web application or service session cookies and use them to gain access to web applications or Internet services as an authenticated user without needing credentials.
attack.mitre.org →
Why these techniques?

Stored XSS in OpenEMR web app directly enables exploitation of public-facing application (T1190) via unsanitized form input, arbitrary JavaScript execution in victim browsers (T1059.007), and theft of web session cookies for account impersonation (T1539).

Confidence: HIGH · MITRE ATT&CK Enterprise v18.1

NVD Description

OpenEMR is a free and open source electronic health records and medical practice management application. Users with the `Notes - my encounters` role can fill Eye Exam forms in patient encounters. The answers to the form are displayed on the…

more

encounter page and in the visit history for the users with the same role. Versions prior to 8.0.0.3 have a stored cross-site scripting (XSS) vulnerability in the function to display the form answers, allowing any authenticated attacker with the specific role to insert arbitrary JavaScript into the system by entering malicious payloads to the form answers. The JavaScript code is later executed by any user with the form role when viewing the form answers in the patient encounter pages or visit history. Version 8.0.0.3 contains a patch.

Deeper analysisAI

CVE-2026-33348 is a stored cross-site scripting (XSS) vulnerability, classified under CWE-79, affecting OpenEMR, a free and open-source electronic health records and medical practice management application. The flaw resides in the function responsible for displaying answers from Eye Exam forms within patient encounters. Users with the "Notes - my encounters" role can submit form answers that are then shown on the encounter page and in visit history for others with the same role. Versions of OpenEMR prior to 8.0.0.3 fail to properly sanitize these inputs, enabling the injection of arbitrary JavaScript payloads. The vulnerability carries a CVSS v3.1 base score of 8.7 (AV:N/AC:L/PR:L/UI:R/S:C/C:H/I:H/A:N), reflecting high confidentiality and integrity impacts due to its cross-origin scope change.

An authenticated attacker possessing the "Notes - my encounters" role can exploit this by entering malicious JavaScript into Eye Exam form fields during a patient encounter. When any other user with the same role views the affected encounter page or visit history, the injected code executes in their browser context. This allows the attacker to steal session cookies, manipulate page content, perform actions on behalf of the victim, or exfiltrate sensitive patient data visible to that role, all over the network with low complexity but requiring user interaction to trigger.

Mitigation is available via the official patch in OpenEMR version 8.0.0.3, as detailed in the project's GitHub security advisory (GHSA-6ch2-p26g-x33h), release notes, and the fixing commit (f488efbe3eb7f17d0f057f960020cb611149f8a2). Security practitioners should prioritize upgrading affected instances, validate input sanitization in custom forms, and enforce principle of least privilege for the "Notes - my encounters" role to limit exposure.

Details

CWE(s)
CWE-79

Affected Products

open-emr
openemr
≤ 8.0.0.3

CVEs Like This One

CVE-2025-69231Same product: Open-Emr Openemr
CVE-2026-33346Same product: Open-Emr Openemr
CVE-2026-33932Same product: Open-Emr Openemr
CVE-2026-32121Same product: Open-Emr Openemr
CVE-2026-32118Same product: Open-Emr Openemr
CVE-2026-25164Same product: Open-Emr Openemr
CVE-2026-33914Same product: Open-Emr Openemr
CVE-2026-25146Same product: Open-Emr Openemr
CVE-2025-29789Same product: Open-Emr Openemr
CVE-2026-24848Same product: Open-Emr Openemr

References