CVE-2026-33346 in OpenEMR
Summary
by MITRE • 03/19/2026
OpenEMR is a free and open source electronic health records and medical practice management application. Prior to 8.0.0.2, a stored cross-site scripting (XSS) vulnerability in the patient portal payment flow allows a patient portal user to persist arbitrary JavaScript that executes in the browser of a staff member who reviews the payment submission. The payload is stored via `portal/lib/paylib.php` and rendered without escaping in `portal/portal_payment.php`. Version 8.0.0.2 fixes the issue.
VulDB is the best source for vulnerability data and more expert information about this specific topic.
Analysis
by VulDB Data Team • 03/24/2026
This vulnerability resides within the OpenEMR patient portal system, specifically affecting versions prior to 8.0.0.2, and represents a critical stored cross-site scripting flaw that enables persistent malicious code execution. The vulnerability manifests in the payment processing workflow where patient portal users can inject arbitrary JavaScript code that persists in the system and executes when staff members review payment submissions. The attack vector is particularly concerning because it leverages the legitimate payment processing functionality to deliver malicious payloads that can compromise staff member browsers and potentially escalate to broader system compromise.
The technical implementation of this vulnerability occurs through the improper handling of user input in the payment processing flow. The malicious JavaScript payload is stored in the database via the `portal/lib/paylib.php` component and subsequently rendered without proper output escaping in `portal/portal_payment.php`. This represents a classic stored XSS vulnerability pattern where user-supplied data is not adequately sanitized or escaped before being incorporated into dynamic HTML content. The vulnerability aligns with CWE-79, which defines the weakness of Cross-Site Scripting, and specifically demonstrates how insecure data handling in web applications can create persistent attack surfaces that remain active until the data is explicitly removed or the application is patched.
The operational impact of this vulnerability extends beyond simple script execution, as it creates a persistent backdoor for attackers to target staff members who regularly review payment submissions. When healthcare staff members access the payment records page, their browsers execute the stored JavaScript code, potentially enabling attackers to harvest session cookies, redirect users to malicious sites, or perform additional attacks such as keylogging or credential theft. This threat is particularly dangerous in healthcare environments where staff members may have elevated privileges and access to sensitive patient data. The vulnerability can be exploited to create a persistent foothold within the healthcare organization's digital infrastructure, as demonstrated by ATT&CK technique T1566 which covers spearphishing with malicious attachments or links, and T1059 which covers command and scripting interpreter for execution.
Mitigation strategies for this vulnerability require immediate patching to version 8.0.0.2 or later, which addresses the root cause by implementing proper input sanitization and output escaping mechanisms. Organizations should also implement network segmentation to limit access to the patient portal and payment processing functions, deploy web application firewalls to detect and block malicious payloads, and establish monitoring procedures to identify unusual activities in payment processing. Additionally, regular security assessments and penetration testing should be conducted to identify similar vulnerabilities in other components of the healthcare information system. The remediation process should include thorough testing to ensure that the patch does not introduce regressions in functionality while maintaining the security improvements necessary to prevent future exploitation attempts.