Monitor vulnerabilities like this one.
Sign up free to get alerted when software you use is affected.
7.6
OpenEMR: Malicious Code Can Run in Clinician's Browser
CVE-2026-33932
Summary
Before a software update, a security issue in OpenEMR allowed a hacker to inject malicious code into a patient's medical document, potentially harming the clinician's computer or stealing sensitive information. This has been fixed in version 8.0.0.3. To stay secure, update to the latest version of OpenEMR.
Original title
OpenEMR is a free and open source electronic health records and medical practice management application. Prior to version 8.0.0.3, a stored cross-site scripting vulnerability in the CCDA document p...
Original description
OpenEMR is a free and open source electronic health records and medical practice management application. Prior to version 8.0.0.3, a stored cross-site scripting vulnerability in the CCDA document preview allows an attacker who can upload or send a CCDA document to execute arbitrary JavaScript in a clinician's browser session when the document is previewed. The XSL stylesheet sanitizes attributes for all other narrative elements but not for `linkHtml`, allowing `href="javascript:..."` and event handler attributes to pass through unchanged. Version 8.0.0.3 patches the issue.
nvd CVSS3.1
7.6
Vulnerability type
CWE-79
Cross-site Scripting (XSS)
Published: 26 Mar 2026 · Updated: 26 Mar 2026 · First seen: 26 Mar 2026