CVE-2026-33299

Name of the Vulnerable Software and Affected Versions OpenEMR versions prior to 8.0.0.2

Description OpenEMR is an electronic health records and medical practice management application. A stored cross-site scripting (XSS) issue exists in the function used to display answers from the Eye Exam form. An authenticated attacker with the Notes - my encounters role can inject arbitrary JavaScript code into the system by providing malicious input to the form answers. This injected JavaScript is then executed when other users with the same role view the form answers within patient encounters or visit history. The vulnerable function is responsible for displaying the form answers.

Recommendations Update to OpenEMR version 8.0.0.2 or later.