CVE-2026-33348

Name of the Vulnerable Software and Affected Versions OpenEMR versions prior to 8.0.0.3

Description OpenEMR is an electronic health records and medical practice management application. A stored cross-site scripting (XSS) issue exists in the function responsible for displaying form answers. An authenticated attacker with the Notes - my encounters role can inject arbitrary JavaScript into the system by providing malicious input to the form answers. This injected JavaScript is then executed when other users with the same role view the form answers in patient encounter pages or visit history. The vulnerability affects the Eye Exam forms within patient encounters.

Recommendations Versions prior to 8.0.0.3 should be updated to version 8.0.0.3 or later.