Description
OpenEMR is a free and open source electronic health records and medical practice management application. Prior to 8.0.0.2, users with the `Notes - my encounters` role can fill **Eye Exam** forms in patient encounters. The answers to the form are displayed on the encounter page and in the visit history for the users with the same role. There exists a stored cross-site scripting (XSS) vulnerability in the function to display the form answers, allowing any authenticated attacker with the specific role to insert arbitrary JavaScript into the system by entering malicious payloads to the form answers. The JavaScript code is later executed by any user with the form role when viewing the form answers in the patient encounter pages or visit history. Version 8.0.0.2 fixes the issue.
Published: 2026-03-19
Score: 8.5 High
EPSS: < 1% Very Low
KEV: No
Impact: Stored Cross‑Site Scripting allowing arbitrary JavaScript execution for users with the Notes‑my‑encounters role
Action: Patch
AI Analysis

Impact

A stored cross‑site scripting vulnerability exists in the component that renders answers to the Eye Exam form in OpenEMR. When an authenticated user possessing the Notes‑my‑encounters role submits input containing malicious JavaScript to the form, that payload is stored and later displayed verbatim on the patient encounter page and in the visit history. This flaw, classified as CWE‑79, enables execution of arbitrary script in the browsers of any other user who has the same form role and views the affected pages, potentially leading to session theft, data leakage, or further compromise of the system.

Affected Systems

The issue affects OpenEMR applications running versions earlier than 8.0.0.2. Users who can fill Eye Exam forms under the Notes‑my‑encounters role are both the potential attackers and victims, as malicious content is stored and rendered for anyone with that role who views the encounter or history pages.

Risk and Exploitability

The CVSS base score of 8.5 marks this vulnerability as high. The EPSS score of less than 1% indicates that active exploitation is currently unlikely, and it is not listed in CISA’s KEV catalog. Nonetheless, an attacker must be authenticated and possess the relevant role; thereafter the attack can be carried out simply by submitting malicious form data and relying on other users to view the content. The exploit path is straightforward and does not require additional system access beyond the existing role permissions.

Generated by OpenCVE AI on March 20, 2026 at 17:29 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Update OpenEMR to version 8.0.0.2 or later to eliminate the stored XSS flaw.

Generated by OpenCVE AI on March 20, 2026 at 17:29 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Fri, 20 Mar 2026 21:15:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'poc', 'Technical Impact': 'partial'}, 'version': '2.0.3'}

Fri, 20 Mar 2026 16:30:00 +0000

Type Values Removed Values Added
First Time appeared Open-emr
Open-emr openemr
CPEs cpe:2.3:a:open-emr:openemr:*:*:*:*:*:*:*:*
Vendors & Products Open-emr
Open-emr openemr
Metrics cvssV3_1

{'score': 5.4, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N'}

Fri, 20 Mar 2026 09:00:00 +0000

Type Values Removed Values Added
First Time appeared Openemr
Openemr openemr
Vendors & Products Openemr
Openemr openemr

Thu, 19 Mar 2026 20:30:00 +0000

Type Values Removed Values Added
Description OpenEMR is a free and open source electronic health records and medical practice management application. Prior to 8.0.0.2, users with the `Notes - my encounters` role can fill **Eye Exam** forms in patient encounters. The answers to the form are displayed on the encounter page and in the visit history for the users with the same role. There exists a stored cross-site scripting (XSS) vulnerability in the function to display the form answers, allowing any authenticated attacker with the specific role to insert arbitrary JavaScript into the system by entering malicious payloads to the form answers. The JavaScript code is later executed by any user with the form role when viewing the form answers in the patient encounter pages or visit history. Version 8.0.0.2 fixes the issue.
Title OpenEMR has Stored XSS in patient encounter Eye Exam form answers
Weaknesses CWE-79
References
Metrics cvssV4_0

{'score': 8.5, 'vector': 'CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:P/VC:H/VI:H/VA:N/SC:N/SI:N/SA:N'}

Subscriptions

Open-emr Openemr
Openemr Openemr
cve-icon MITRE

Status: PUBLISHED

Assigner: GitHub_M

Published:

Updated: 2026-03-20T20:21:10.287Z

Reserved: 2026-03-18T18:55:47.427Z

Link: CVE-2026-33299

cve-icon Vulnrichment

Updated: 2026-03-20T20:21:06.936Z

cve-icon NVD

Status : Analyzed

Published: 2026-03-19T21:17:11.080

Modified: 2026-03-20T16:17:24.627

Link: CVE-2026-33299

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-03-25T11:55:09Z

Weaknesses