CVE-2026-33932
Published: 26 March 2026
Summary
CVE-2026-33932 is a high-severity Cross-site Scripting (CWE-79) vulnerability in Open-Emr Openemr. Its CVSS base score is 7.6 (High).
Operationally, exploitation aligns with the MITRE ATT&CK technique JavaScript (T1059.007); ranked at the 10.2th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog.
The strongest mitigations our analysis identified are NIST 800-53 SI-15 (Information Output Filtering) and SI-2 (Flaw Remediation).
Threat & Defense at a Glance
Threat & Defense Details
Mitigating Controls (NIST 800-53 r5)AI
Directly mandates filtering of information output in CCDA previews to block unsanitized javascript: hrefs and event handlers, preventing XSS execution in clinicians' browsers.
Requires timely identification, reporting, and correction of flaws like the XSL stylesheet sanitization gap patched in OpenEMR 8.0.0.3.
Provides input validation and sanitization for uploaded CCDA documents to reject or strip malicious attributes before storage and preview.
MITRE ATT&CK Enterprise TechniquesAI
Why these techniques?
Stored XSS enables direct injection/execution of arbitrary JavaScript in the clinician browser session upon previewing a malicious CCDA file (T1059.007 JavaScript + T1204.002 Malicious File); this directly supports browser session hijacking and cookie/token theft (T1185).
NVD Description
OpenEMR is a free and open source electronic health records and medical practice management application. Prior to version 8.0.0.3, a stored cross-site scripting vulnerability in the CCDA document preview allows an attacker who can upload or send a CCDA document…
more
to execute arbitrary JavaScript in a clinician's browser session when the document is previewed. The XSL stylesheet sanitizes attributes for all other narrative elements but not for `linkHtml`, allowing `href="javascript:..."` and event handler attributes to pass through unchanged. Version 8.0.0.3 patches the issue.
Deeper analysisAI
CVE-2026-33932 is a stored cross-site scripting (XSS) vulnerability, classified under CWE-79, affecting OpenEMR, a free and open-source electronic health records and medical practice management application. In versions prior to 8.0.0.3, the vulnerability exists in the CCDA document preview feature, where the XSL stylesheet sanitizes attributes for narrative elements but fails to do so for the `linkHtml` element. This allows malicious `href="javascript:..."` and event handler attributes to pass through unchanged.
An attacker who can upload or send a CCDA document can exploit this to inject arbitrary JavaScript. When a clinician previews the document, the JavaScript executes in their browser session. The CVSS v3.1 base score is 7.6 (AV:N/AC:L/PR:L/UI:R/S:C/C:H/I:L/A:N), reflecting network accessibility, low attack complexity, required low privileges and user interaction, scope change, high confidentiality impact, low integrity impact, and no availability impact.
OpenEMR version 8.0.0.3 patches the vulnerability by addressing the sanitization gap in the XSL stylesheet. Mitigation details are available in the GitHub security advisory (GHSA-g77x-9p3x-2j8f), release notes for v8.0.0.3, and the fixing commit (95e6078889b5399b12b59117f998560cd94bd47d). Security practitioners should prioritize upgrading affected instances.
Details
- CWE(s)