CVE-2026-33303

Name of the Vulnerable Software and Affected Versions OpenEMR versions prior to 8.0.0.2

Description OpenEMR is a free and open source electronic health records and medical practice management application. The application is susceptible to a stored cross-site scripting (XSS) issue. This occurs due to unescaped portal login username within the portal credential print view. A patient portal user can inject an XSS payload as their login username, which then executes in a clinic staff member's browser when the "Create Portal Login" page is accessed for that patient. This allows for a transition from the patient session context to the staff/admin session context.

Recommendations Versions prior to 8.0.0.2 should be updated to version 8.0.0.2 or later.