CVE-2026-33321

Name of the Vulnerable Software and Affected Versions OpenEMR versions prior to 8.0.0.2

Description OpenEMR is an electronic health records and medical practice management application. A Server-Side Request Forgery (SSRF) issue exists in the PDF creation function when processing form answers as unescaped HTML. This allows an attacker to forge requests from the server to external or internal resources. The issue affects users with the Notes - my encounters role who can fill Eye Exam forms in patient encounters. The vulnerability is triggered when the form answers are parsed as unescaped HTML during PDF creation. The vulnerable function is involved in processing form data for PDF generation.

Recommendations Update OpenEMR to version 8.0.0.2 or later.