CVE-2026-33932

Name of the Vulnerable Software and Affected Versions OpenEMR versions prior to 8.0.0.3

Description OpenEMR is an electronic health records and medical practice management application. A stored cross-site scripting issue exists in the CCDA document preview functionality. An attacker who can upload or send a CCDA document can execute arbitrary JavaScript in a clinician’s browser session when the document is previewed. The XSL stylesheet does not sanitize the linkHtml attribute, allowing href="javascript:..." and event handler attributes to bypass sanitization. The vulnerable parameter is linkHtml.

Recommendations Update to version 8.0.0.3 or later.