Description
OpenEMR is a free and open source electronic health records and medical practice management application. Users with the `Notes - my encounters` role can fill Eye Exam forms in patient encounters. The answers to the form are displayed on the encounter page and in the visit history for the users with the same role. Versions prior to 8.0.0.3 have a stored cross-site scripting (XSS) vulnerability in the function to display the form answers, allowing any authenticated attacker with the specific role to insert arbitrary JavaScript into the system by entering malicious payloads to the form answers. The JavaScript code is later executed by any user with the form role when viewing the form answers in the patient encounter pages or visit history. Version 8.0.0.3 contains a patch.
Published: 2026-03-25
Score: 8.7 High
EPSS: < 1% Very Low
KEV: No
Impact: Stored Cross‑Site Scripting
Action: Apply Patch
AI Analysis

Impact

OpenEMR stores user‑supplied input from Eye Exam forms in patient encounter records. The input is rendered without proper sanitization, allowing an attacker with the Notes‑my‑encounters role to inject arbitrary JavaScript. When other users with the same role view the encounter pages or visit history, the malicious script runs in their browser, potentially hijacking sessions, modifying displayed data, or retrieving sensitive information. This stored XSS flaw is a classic cross‑site scripting weakness that grants the attacker the same privileges as any user of the affected role.

Affected Systems

The vulnerability affects the OpenEMR electronic health records application. All installations running a version prior to 8.0.0.3 are vulnerable. In particular, the store function for the Eye Exam form ($CHRONIC2 and $CHRONIC3) lacks output escaping.

Risk and Exploitability

The CVSS base score is 8.7, reflecting a high‑impact flaw that is exploitable by an authenticated user. EPSS is under 1 %, indicating that current exploit prevalence is low, and the flaw is not listed in the CISA KEV catalog. Nevertheless, the attack requires only a valid OpenEMR account with the specific form role, meaning that any compromised or legitimate account could be abused. Because the erroneous browser code runs in the victim's context, the attack can be performed silently and widely, so administrators should treat it as a serious risk.

Generated by OpenCVE AI on March 26, 2026 at 19:36 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Upgrade OpenEMR to version 8.0.0.3 or later which contains the patch
  • Verify the upgrade and restart the application
  • Limit the Notes‑my‑encounters role to trusted users if an immediate upgrade is not feasible

Generated by OpenCVE AI on March 26, 2026 at 19:36 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Thu, 26 Mar 2026 18:15:00 +0000

Type Values Removed Values Added
First Time appeared Open-emr
Open-emr openemr
CPEs cpe:2.3:a:open-emr:openemr:*:*:*:*:*:*:*:*
Vendors & Products Open-emr
Open-emr openemr

Thu, 26 Mar 2026 15:15:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'poc', 'Technical Impact': 'total'}, 'version': '2.0.3'}

Thu, 26 Mar 2026 12:00:00 +0000

Type Values Removed Values Added
First Time appeared Openemr
Openemr openemr
Vendors & Products Openemr
Openemr openemr

Wed, 25 Mar 2026 23:00:00 +0000

Type Values Removed Values Added
References

Wed, 25 Mar 2026 22:45:00 +0000

Type Values Removed Values Added
Description OpenEMR is a free and open source electronic health records and medical practice management application. Users with the `Notes - my encounters` role can fill Eye Exam forms in patient encounters. The answers to the form are displayed on the encounter page and in the visit history for the users with the same role. Versions prior to 8.0.0.3 have a stored cross-site scripting (XSS) vulnerability in the function to display the form answers, allowing any authenticated attacker with the specific role to insert arbitrary JavaScript into the system by entering malicious payloads to the form answers. The JavaScript code is later executed by any user with the form role when viewing the form answers in the patient encounter pages or visit history. Version 8.0.0.3 contains a patch.
Title OpenEMR has Stored XSS in patient encounter Eye Exam form $CHRONIC2 and $CHRONIC3
Weaknesses CWE-79
References
Metrics cvssV3_1

{'score': 8.7, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:H/I:H/A:N'}

Subscriptions

Open-emr Openemr
Openemr Openemr
cve-icon MITRE

Status: PUBLISHED

Assigner: GitHub_M

Published:

Updated: 2026-03-26T15:00:29.982Z

Reserved: 2026-03-18T22:15:11.814Z

Link: CVE-2026-33348

cve-icon Vulnrichment

Updated: 2026-03-26T15:00:26.387Z

cve-icon NVD

Status : Analyzed

Published: 2026-03-25T23:17:09.840

Modified: 2026-03-26T18:02:20.603

Link: CVE-2026-33348

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-03-27T09:29:29Z

Weaknesses