CVE-2026-33301

Name of the Vulnerable Software and Affected Versions OpenEMR versions prior to 8.0.0.2

Description OpenEMR is an electronic health records and medical practice management application. A file read issue exists in the PDF creation function when processing form answers as unescaped HTML. This allows an attacker to include arbitrary image files from the server in generated PDFs. The issue affects users with the Notes - my encounters role who can fill Eye Exam forms in patient encounters. The vulnerability is triggered when parsing form answers, potentially leading to unauthorized access to server files. The vulnerable function processes the form answers without proper sanitization.

Recommendations Update to OpenEMR version 8.0.0.2 or later.