CVE-2026-33346

Name of the Vulnerable Software and Affected Versions OpenEMR versions prior to 8.0.0.2

Description OpenEMR is a free and open source electronic health records and medical practice management application. A stored cross-site scripting (XSS) issue exists in the patient portal payment flow. This allows a patient portal user to inject arbitrary JavaScript code that will be executed in the browser of a staff member reviewing the payment submission. The malicious payload is stored in portal/lib/paylib.php and rendered without proper sanitization in portal/portal payment.php.

Recommendations Update OpenEMR to version 8.0.0.2 or later.