Monitor vulnerabilities like this one.
Sign up free to get alerted when software you use is affected.
6.1
OpenEMR: Hackers can take over staff members' browser sessions
CVE-2026-33933
Summary
OpenEMR's custom template editor has a bug that allows a hacker to take control of a staff member's computer session by tricking them into visiting a malicious website. This could allow the hacker to access sensitive patient information. Update to the latest version of OpenEMR to fix the problem.
Original title
OpenEMR is a free and open source electronic health records and medical practice management application. Starting in version 7.0.2.1 and prior to version 8.0.0.3, a reflected cross-site scripting (...
Original description
OpenEMR is a free and open source electronic health records and medical practice management application. Starting in version 7.0.2.1 and prior to version 8.0.0.3, a reflected cross-site scripting (XSS) vulnerability in the custom template editor allows an attacker to execute arbitrary JavaScript in an authenticated staff member's browser session by sending them a crafted URL. The attacker does not need an OpenEMR account. Version 8.0.0.3 patches the issue.
nvd CVSS3.1
6.1
Vulnerability type
CWE-79
Cross-site Scripting (XSS)
Published: 26 Mar 2026 · Updated: 26 Mar 2026 · First seen: 26 Mar 2026