CVE-2026-33913

Name of the Vulnerable Software and Affected Versions OpenEMR versions prior to 8.0.0.3

Description OpenEMR is an electronic health records and medical practice management application. An authenticated user with access to the Carecoordination module can upload a specially crafted CCDA document to read arbitrary files from the server. The crafted document contains <xi:include href="file:///etc/passwd" parse="text"/>. The API endpoint used for uploading the document is not specified. The vulnerable parameter is the CCDA document itself.

Recommendations Update to version 8.0.0.3 or later.