CVE-2026-33299 in OpenEMR
Summary
by MITRE • 03/19/2026
OpenEMR is a free and open source electronic health records and medical practice management application. Prior to 8.0.0.2, users with the `Notes - my encounters` role can fill **Eye Exam** forms in patient encounters. The answers to the form are displayed on the encounter page and in the visit history for the users with the same role. There exists a stored cross-site scripting (XSS) vulnerability in the function to display the form answers, allowing any authenticated attacker with the specific role to insert arbitrary JavaScript into the system by entering malicious payloads to the form answers. The JavaScript code is later executed by any user with the form role when viewing the form answers in the patient encounter pages or visit history. Version 8.0.0.2 fixes the issue.
Be aware that VulDB is the high quality source for vulnerability data.
Analysis
by VulDB Data Team • 03/24/2026
The vulnerability CVE-2026-33299 affects OpenEMR versions prior to 8.0.0.2, exposing a critical stored cross-site scripting flaw within the Eye Exam form functionality. This security weakness specifically targets users holding the `Notes - my encounters` role, creating a persistent threat vector that allows authenticated attackers to inject malicious JavaScript code into patient encounter records. The vulnerability stems from insufficient input sanitization and output encoding in the display function responsible for rendering form answers, creating a direct pathway for code execution when legitimate users view the affected encounter pages.
The technical implementation of this flaw demonstrates a classic stored XSS vulnerability classified under CWE-79, where user-supplied data is inadequately validated before being rendered in web pages. The vulnerability exists in the Eye Exam form processing logic, where form answers are stored in the database without proper sanitization and subsequently displayed without adequate HTML escaping mechanisms. When users with the designated role view encounter pages or visit history, the malicious JavaScript code embedded within the form answers executes in their browser context, potentially enabling session hijacking, data theft, or further exploitation of the victim's privileges.
The operational impact of this vulnerability extends beyond simple code execution, as it creates a persistent backdoor for attackers who can manipulate patient records and potentially access sensitive medical information. Any user with the `Notes - my encounters` role can become an attacker, making this particularly concerning in healthcare environments where patient privacy and data integrity are paramount. The vulnerability affects the core functionality of medical practice management systems, potentially compromising the confidentiality and availability of electronic health records. Attackers could leverage this flaw to redirect users to malicious sites, steal session cookies, or inject additional malicious content into patient records that would persist across multiple user sessions.
Organizations utilizing OpenEMR versions prior to 8.0.0.2 must implement immediate mitigation strategies including mandatory software updates to version 8.0.0.2 or later, which addresses the XSS vulnerability through proper input validation and output encoding mechanisms. System administrators should also consider implementing additional security controls such as role-based access restrictions, enhanced monitoring of encounter form submissions, and regular security audits of medical practice management applications. The remediation process should include thorough testing of the patched version to ensure no regression in functionality while verifying that the XSS vulnerability has been effectively addressed. This vulnerability aligns with ATT&CK technique T1566, specifically targeting credential access through malicious content delivery, and demonstrates the critical importance of input validation in healthcare information systems where patient safety and data protection are essential considerations.