Description
OpenEMR is a free and open source electronic health records and medical practice management application. Starting in version 7.0.2.1 and prior to version 8.0.0.3, a reflected cross-site scripting (XSS) vulnerability in the custom template editor allows an attacker to execute arbitrary JavaScript in an authenticated staff member's browser session by sending them a crafted URL. The attacker does not need an OpenEMR account. Version 8.0.0.3 patches the issue.
Published: 2026-03-25
Score: 6.1 Medium
EPSS: < 1% Very Low
KEV: No
Impact: Client‑Side Code Execution via Reflected XSS
Action: Immediate Patch
AI Analysis

Impact

The vulnerability is a reflected cross‑site scripting flaw in the custom template editor of OpenEMR. A crafted URL containing an unescaped contextName parameter can send arbitrary JavaScript to an authenticated staff member’s browser. This flaw enables the execution of client‑side code, allowing an attacker to hijack the user’s session, steal data, perform actions on behalf of the user, or modify content in the browser. The weakness is a classic reflected XSS, identified as CWE‑79.

Affected Systems

OpenEMR, the open‑source electronic health records system, is affected. Vulnerable releases start with 7.0.2.1 and continue through versions up to but not including 8.0.0.3. The vulnerability was fixed in release 8.0.0.3, which should be applied by all users running earlier versions.

Risk and Exploitability

The CVSS score of 6.1 indicates a moderate severity flaw, while the EPSS score of less than 1% suggests a low probability of exploitation in the wild. The attack vector involves an attacker sending a malicious URL to an authenticated staff member; no OpenEMR account is required to craft the exploit. Because the flaw only affects the client’s browser and does not allow server‑side code execution or privilege escalation, the risk is contained to the compromised user. The absence of a listing in CISA’s KEV catalog further indicates no known exploitations have been reported. Nonetheless, organizations should treat this as a medium‑to‑high risk due to the potential impact on patient data confidentiality and staff productivity.

Generated by OpenCVE AI on March 26, 2026 at 17:37 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Apply the patch delivered in OpenEMR version 8.0.0.3 or later to eliminate the reflected XSS flaw.
  • If an upgrade cannot be performed immediately, restrict access to the custom template editor functionality to trusted staff and consider implementing a web application firewall rule to block or sanitize the contextName parameter in incoming URLs.

Generated by OpenCVE AI on March 26, 2026 at 17:37 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Thu, 26 Mar 2026 16:30:00 +0000

Type Values Removed Values Added
First Time appeared Open-emr
Open-emr openemr
CPEs cpe:2.3:a:open-emr:openemr:*:*:*:*:*:*:*:*
Vendors & Products Open-emr
Open-emr openemr

Thu, 26 Mar 2026 15:15:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'poc', 'Technical Impact': 'partial'}, 'version': '2.0.3'}

Thu, 26 Mar 2026 12:00:00 +0000

Type Values Removed Values Added
First Time appeared Openemr
Openemr openemr
Vendors & Products Openemr
Openemr openemr

Thu, 26 Mar 2026 00:00:00 +0000

Type Values Removed Values Added
Description OpenEMR is a free and open source electronic health records and medical practice management application. Starting in version 7.0.2.1 and prior to version 8.0.0.3, a reflected cross-site scripting (XSS) vulnerability in the custom template editor allows an attacker to execute arbitrary JavaScript in an authenticated staff member's browser session by sending them a crafted URL. The attacker does not need an OpenEMR account. Version 8.0.0.3 patches the issue.
Title Reflected XSS via Unescaped contextName Parameter in Custom Template Editor
Weaknesses CWE-79
References
Metrics cvssV3_1

{'score': 6.1, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N'}

Subscriptions

Open-emr Openemr
Openemr Openemr
cve-icon MITRE

Status: PUBLISHED

Assigner: GitHub_M

Published:

Updated: 2026-03-26T14:23:30.021Z

Reserved: 2026-03-24T19:50:52.103Z

Link: CVE-2026-33933

cve-icon Vulnrichment

Updated: 2026-03-26T14:23:22.033Z

cve-icon NVD

Status : Analyzed

Published: 2026-03-26T00:16:40.120

Modified: 2026-03-26T16:17:56.660

Link: CVE-2026-33933

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-03-27T09:29:18Z

Weaknesses