Description
OpenEMR is a free and open source electronic health records and medical practice management application. Prior to 8.0.0.2, users with the `Notes - my encounters` role can fill Eye Exam forms in patient encounters. The answers to the form can be printed out in PDF form. An arbitrary file read vulnerability was identified in the PDF creation function where the form answers are parsed as unescaped HTML, allowing an attacker to include arbitrary image files from the server in the generated PDF. Version 8.0.0.2 fixes the issue.
Published: 2026-03-19
Score: 7.1 High
EPSS: < 1% Very Low
KEV: No
Impact: Arbitrary File Read
Action: Apply Patch
AI Analysis

Impact

The vulnerability arises when the PDF generation function in OpenEMR parses form answers as unescaped HTML. An attacker who can submit an Eye Exam form in the Notes - my encounters role can embed image references to arbitrary files located on the server. During PDF creation those images are retrieved and embedded, effectively exposing the file contents. This results in an arbitrary file read that can expose patient records, configuration files, or other sensitive data. The weakness maps to the text‑based input validation category (CWE-116).

Affected Systems

All OpenEMR installations from the OpenEMR product line running versions earlier than 8.0.0.2. The affected functionality is the PDF printing of Eye Exam forms submitted through the Notes - my encounters role. Version 8.0.0.2 and later contain a fix that removes unescaped HTML parsing from the PDF generation routine.

Risk and Exploitability

The CVSS score of 7.1 indicates a moderate to high risk. The EPSS probability is below 1 %, and the vulnerability is not listed in the CISA KEV catalog, suggesting low likelihood of widespread exploitation. The primary attack vector is through the web application's form submission, requiring an authenticated user with the Notes - my encounters role. Once the PDF is generated, the attacker gains read access to arbitrary server files, compromising confidentiality of sensitive data. The overall risk under typical conditions is moderate, but because the impact includes exposure of potentially confidential medical records, prompt remediation is advised.

Generated by OpenCVE AI on March 20, 2026 at 17:53 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Upgrade OpenEMR to version 8.0.0.2 or later
  • Restrict the Notes - my encounters role to trusted users

Generated by OpenCVE AI on March 20, 2026 at 17:53 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Tue, 24 Mar 2026 20:15:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'poc', 'Technical Impact': 'partial'}, 'version': '2.0.3'}

Fri, 20 Mar 2026 16:30:00 +0000

Type Values Removed Values Added
First Time appeared Open-emr
Open-emr openemr
CPEs cpe:2.3:a:open-emr:openemr:*:*:*:*:*:*:*:*
Vendors & Products Open-emr
Open-emr openemr
Metrics cvssV3_1

{'score': 8.1, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:N'}

Fri, 20 Mar 2026 09:00:00 +0000

Type Values Removed Values Added
First Time appeared Openemr
Openemr openemr
Vendors & Products Openemr
Openemr openemr

Thu, 19 Mar 2026 20:30:00 +0000

Type Values Removed Values Added
Description OpenEMR is a free and open source electronic health records and medical practice management application. Prior to 8.0.0.2, users with the `Notes - my encounters` role can fill Eye Exam forms in patient encounters. The answers to the form can be printed out in PDF form. An arbitrary file read vulnerability was identified in the PDF creation function where the form answers are parsed as unescaped HTML, allowing an attacker to include arbitrary image files from the server in the generated PDF. Version 8.0.0.2 fixes the issue.
Title OpenEMR has arbitrary image file read via PDF generator
Weaknesses CWE-116
References
Metrics cvssV4_0

{'score': 7.1, 'vector': 'CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:H/VI:N/VA:N/SC:N/SI:N/SA:N'}

Subscriptions

Open-emr Openemr
Openemr Openemr
cve-icon MITRE

Status: PUBLISHED

Assigner: GitHub_M

Published:

Updated: 2026-03-24T19:47:49.473Z

Reserved: 2026-03-18T18:55:47.427Z

Link: CVE-2026-33301

cve-icon Vulnrichment

Updated: 2026-03-24T19:47:45.325Z

cve-icon NVD

Status : Analyzed

Published: 2026-03-19T21:17:11.230

Modified: 2026-03-20T16:16:47.230

Link: CVE-2026-33301

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-03-25T11:55:08Z

Weaknesses