CVE-2026-33911

Name of the Vulnerable Software and Affected Versions OpenEMR versions prior to 8.0.0.3

Description OpenEMR is an electronic health records and medical practice management application. Prior to version 8.0.0.3, the title POST parameter is reflected in a JSON response created using json encode(). Due to the response being served with a text/html Content-Type, browsers interpret injected HTML/script tags instead of treating the output as JSON. An authenticated attacker can construct a request to execute arbitrary JavaScript within a victim’s session. The vulnerable parameter is title.

Recommendations Update to version 8.0.0.3 or later.