Description
OpenEMR is a free and open source electronic health records and medical practice management application. Prior to version 8.0.0.3, an authenticated attacker could craft a malicious form that, when submitted by a victim, executes arbitrary JavaScript in the victim's browser session. Version 8.0.0.3 patches the issue.
Published: 2026-03-25
Score: 5.4 Medium
EPSS: < 1% Very Low
KEV: No
Impact: Cross‑site scripting via reportID parameter
Action: Apply patch
AI Analysis

Impact

The vulnerability allows an attacker to inject and execute arbitrary JavaScript in the victim’s browser session. By crafting a malicious form that references the vulnerable reportID parameter in ajax_download.php, an authenticated attacker can cause the victim’s browser to run attacker supplied code when the form is submitted. This may lead to data theft, session hijacking, or other client‑side attacks. The weakness is a reflected XSS flaw (CWE‑79).

Affected Systems

The flaw exists in OpenEMR for all releases prior to 8.0.0.3. Any installation of the OpenEMR application that has not been upgraded to version 8.0.0.3 or later is vulnerable. The affected product is the OpenEMR electronic health records system.

Risk and Exploitability

The CVSS score of 5.4 indicates moderate impact. The EPSS score of less than 1% suggests a low likelihood of exploitation in the wild. The vulnerability requires an authenticated user and relies on the victim’s browser executing injected code, so the attack vector is web‑based via the application’s interface. The issue is not listed in CISA’s KEV catalog, but since the flaw allows arbitrary script execution, any user with a valid session could be impacted if they visit a crafted page.

Generated by OpenCVE AI on March 26, 2026 at 17:28 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Upgrade OpenEMR to version 8.0.0.3 or newer to resolve the reflected XSS vulnerability.

Generated by OpenCVE AI on March 26, 2026 at 17:28 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Thu, 26 Mar 2026 16:30:00 +0000

Type Values Removed Values Added
First Time appeared Open-emr
Open-emr openemr
CPEs cpe:2.3:a:open-emr:openemr:*:*:*:*:*:*:*:*
Vendors & Products Open-emr
Open-emr openemr

Thu, 26 Mar 2026 15:15:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'partial'}, 'version': '2.0.3'}

Thu, 26 Mar 2026 12:00:00 +0000

Type Values Removed Values Added
First Time appeared Openemr
Openemr openemr
Vendors & Products Openemr
Openemr openemr

Wed, 25 Mar 2026 23:00:00 +0000

Type Values Removed Values Added
Description OpenEMR is a free and open source electronic health records and medical practice management application. Prior to version 8.0.0.3, an authenticated attacker could craft a malicious form that, when submitted by a victim, executes arbitrary JavaScript in the victim's browser session. Version 8.0.0.3 patches the issue.
Title OpenEMR has reflected XSS in ajax_download.php via reportID parameter
Weaknesses CWE-79
References
Metrics cvssV3_1

{'score': 5.4, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N'}

Subscriptions

Open-emr Openemr
Openemr Openemr
cve-icon MITRE

Status: PUBLISHED

Assigner: GitHub_M

Published:

Updated: 2026-03-26T14:24:50.465Z

Reserved: 2026-03-24T15:41:47.492Z

Link: CVE-2026-33912

cve-icon Vulnrichment

Updated: 2026-03-26T14:24:47.027Z

cve-icon NVD

Status : Analyzed

Published: 2026-03-25T23:17:10.497

Modified: 2026-03-26T16:24:01.077

Link: CVE-2026-33912

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-03-27T09:29:26Z

Weaknesses