Cyber Resilience

CVE-2026-33932

High

Published: 26 March 2026

Published
26 March 2026
Modified
26 March 2026
KEV Added
Patch
CVSS Score v3.1 7.6 CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:H/I:L/A:N
EPSS Score 0.0004 12.4th percentile
Risk Priority 15 60% EPSS · 20% KEV · 20% CVSS

Summary

CVE-2026-33932 is a high-severity Cross-site Scripting (CWE-79) vulnerability in Open-Emr Openemr. Its CVSS base score is 7.6 (High).

Operationally, exploitation aligns with the MITRE ATT&CK technique JavaScript (T1059.007); ranked at the 12.4th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog.

The strongest mitigations our analysis identified are NIST 800-53 SI-15 (Information Output Filtering) and SI-2 (Flaw Remediation).

Deeper analysis

CVE-2026-33932 is a stored cross-site scripting (XSS) vulnerability, classified under CWE-79, affecting OpenEMR, a free and open-source electronic health records and medical practice management application. In versions prior to 8.0.0.3, the vulnerability exists in the CCDA document preview feature, where the XSL stylesheet sanitizes attributes for narrative elements but fails to do so for the `linkHtml` element. This allows malicious `href="javascript:..."` and event handler attributes to pass through unchanged.

An attacker who can upload or send a CCDA document can exploit this to inject arbitrary JavaScript. When a clinician previews the document, the JavaScript executes in their browser session. The CVSS v3.1 base score is 7.6 (AV:N/AC:L/PR:L/UI:R/S:C/C:H/I:L/A:N), reflecting network accessibility, low attack complexity, required low privileges and user interaction, scope change, high confidentiality impact, low integrity impact, and no availability impact.

OpenEMR version 8.0.0.3 patches the vulnerability by addressing the sanitization gap in the XSL stylesheet. Mitigation details are available in the GitHub security advisory (GHSA-g77x-9p3x-2j8f), release notes for v8.0.0.3, and the fixing commit (95e6078889b5399b12b59117f998560cd94bd47d). Security practitioners should prioritize upgrading affected instances.

EU & UK References

Vulnerability details

OpenEMR is a free and open source electronic health records and medical practice management application. Prior to version 8.0.0.3, a stored cross-site scripting vulnerability in the CCDA document preview allows an attacker who can upload or send a CCDA document…

more

to execute arbitrary JavaScript in a clinician's browser session when the document is previewed. The XSL stylesheet sanitizes attributes for all other narrative elements but not for `linkHtml`, allowing `href="javascript:..."` and event handler attributes to pass through unchanged. Version 8.0.0.3 patches the issue.

CWE(s)

Related Threats

MITRE ATT&CK Enterprise TechniquesAI

T1059.007 JavaScript Execution
Adversaries may abuse various implementations of JavaScript for execution.
T1185 Browser Session Hijacking Collection
Adversaries may take advantage of security vulnerabilities and inherent functionality in browser software to change content, modify user-behaviors, and intercept information as part of various browser session hijacking techniques.
T1204.002 Malicious File Execution
An adversary may rely upon a user opening a malicious file in order to gain execution.
Why these techniques?

Stored XSS enables direct injection/execution of arbitrary JavaScript in the clinician browser session upon previewing a malicious CCDA file (T1059.007 JavaScript + T1204.002 Malicious File); this directly supports browser session hijacking and cookie/token theft (T1185).

Confidence: MEDIUM · MITRE ATT&CK Enterprise v18.1

CVEs Like This One

CVE-2026-32121Same product: Open-Emr Openemr
CVE-2026-33346Same product: Open-Emr Openemr
CVE-2026-32118Same product: Open-Emr Openemr
CVE-2026-33299Same product: Open-Emr Openemr
CVE-2026-33348Same product: Open-Emr Openemr
CVE-2025-69231Same product: Open-Emr Openemr
CVE-2026-25147Same product: Open-Emr Openemr
CVE-2026-34055Same product: Open-Emr Openemr
CVE-2026-33910Same product: Open-Emr Openemr
CVE-2025-67645Same product: Open-Emr Openemr

Affected Assets

open-emr
openemr
≤ 8.0.0.3

Mitigating Controls

Mitigating Controls (NIST 800-53 r5) AI

prevent

Directly mandates filtering of information output in CCDA previews to block unsanitized javascript: hrefs and event handlers, preventing XSS execution in clinicians' browsers.

prevent

Requires timely identification, reporting, and correction of flaws like the XSL stylesheet sanitization gap patched in OpenEMR 8.0.0.3.

prevent

Provides input validation and sanitization for uploaded CCDA documents to reject or strip malicious attributes before storage and preview.

References