Description
OpenEMR is a free and open source electronic health records and medical practice management application. Prior to version 8.0.0.3, a stored cross-site scripting vulnerability in the CCDA document preview allows an attacker who can upload or send a CCDA document to execute arbitrary JavaScript in a clinician's browser session when the document is previewed. The XSL stylesheet sanitizes attributes for all other narrative elements but not for `linkHtml`, allowing `href="javascript:..."` and event handler attributes to pass through unchanged. Version 8.0.0.3 patches the issue.
Published: 2026-03-25
Score: 7.6 High
EPSS: < 1% Very Low
KEV: No
Impact: Client‑Side Stored XSS
Action: Immediate Patch
AI Analysis

Impact

OpenEMR is susceptible to a stored cross‑site scripting flaw in the CCDA document preview. The XSL stylesheet sanitizes most narrative elements but mistakenly leaves the linkHtml attribute unsanitized, allowing an attacker to embed a malicious href such as javascript:… or event handler attributes. When a clinician opens the preview, the attacker’s script runs in the user’s browser, granting client‑side code execution that can hijack the session, exfiltrate data, or perform other malicious actions. The weakness is classified as CWE‑79.

Affected Systems

The flaw affects all OpenEMR installations whose version is earlier than 8.0.0.3. The issue was fixed in commit 95e6078 and rolled into the 8.0.0.3 release, so any release at or above that version is no longer vulnerable.

Risk and Exploitability

This vulnerability carries a CVSS score of 7.6, indicating high severity. However, the EPSS score is below 1 %, suggesting a low probability of exploitation at the moment, and it is not listed in the CISA KEV catalog. An attacker must be able to supply a CCDA document to the target system—either by uploading or by forwarding the file—and the victim must subsequently view the preview for the payload to execute. Because the attack vector is limited to client‑side actions, the risk to the system is largely confined to the compromised user’s session.

Generated by OpenCVE AI on March 26, 2026 at 18:06 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Upgrade to OpenEMR 8.0.0.3 or later to receive the patch that sanitizes linkHtml attributes.
  • If an upgrade cannot be performed immediately, disable the CCDA preview feature or restrict its use to trusted users only.
  • As a temporary measure, review or sanitize any CCDA documents before previewing to remove malicious linkHtml attributes.

Generated by OpenCVE AI on March 26, 2026 at 18:06 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Mon, 30 Mar 2026 15:15:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'partial'}, 'version': '2.0.3'}

Thu, 26 Mar 2026 16:30:00 +0000

Type Values Removed Values Added
First Time appeared Open-emr
Open-emr openemr
CPEs cpe:2.3:a:open-emr:openemr:*:*:*:*:*:*:*:*
Vendors & Products Open-emr
Open-emr openemr

Thu, 26 Mar 2026 12:00:00 +0000

Type Values Removed Values Added
First Time appeared Openemr
Openemr openemr
Vendors & Products Openemr
Openemr openemr

Thu, 26 Mar 2026 00:00:00 +0000

Type Values Removed Values Added
Description OpenEMR is a free and open source electronic health records and medical practice management application. Prior to version 8.0.0.3, a stored cross-site scripting vulnerability in the CCDA document preview allows an attacker who can upload or send a CCDA document to execute arbitrary JavaScript in a clinician's browser session when the document is previewed. The XSL stylesheet sanitizes attributes for all other narrative elements but not for `linkHtml`, allowing `href="javascript:..."` and event handler attributes to pass through unchanged. Version 8.0.0.3 patches the issue.
Title OpenEMR has Stored XSS in CCDA Preview via Unsanitized linkHtml Attributes
Weaknesses CWE-79
References
Metrics cvssV3_1

{'score': 7.6, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:H/I:L/A:N'}

Subscriptions

Open-emr Openemr
Openemr Openemr
cve-icon MITRE

Status: PUBLISHED

Assigner: GitHub_M

Published:

Updated: 2026-03-30T14:56:39.996Z

Reserved: 2026-03-24T19:50:52.103Z

Link: CVE-2026-33932

cve-icon Vulnrichment

Updated: 2026-03-30T13:19:16.950Z

cve-icon NVD

Status : Analyzed

Published: 2026-03-26T00:16:39.953

Modified: 2026-03-26T16:27:53.530

Link: CVE-2026-33932

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-03-27T09:29:19Z

Weaknesses