{"dataType": "CVE_RECORD", "dataVersion": "5.2", "cveMetadata": {"cveId": "CVE-2026-33932", "assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "state": "PUBLISHED", "assignerShortName": "GitHub_M", "dateReserved": "2026-03-24T19:50:52.103Z", "datePublished": "2026-03-25T23:37:58.427Z", "dateUpdated": "2026-03-30T14:56:39.996Z"}, "containers": {"cna": {"title": "OpenEMR has Stored XSS in CCDA Preview via Unsanitized linkHtml Attributes", "problemTypes": [{"descriptions": [{"cweId": "CWE-79", "lang": "en", "description": "CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')", "type": "CWE"}]}], "metrics": [{"cvssV3_1": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "NONE", "baseScore": 7.6, "baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "integrityImpact": "LOW", "privilegesRequired": "LOW", "scope": "CHANGED", "userInteraction": "REQUIRED", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:H/I:L/A:N", "version": "3.1"}}], "references": [{"name": "https://github.com/openemr/openemr/security/advisories/GHSA-g77x-9p3x-2j8f", "tags": ["x_refsource_CONFIRM"], "url": "https://github.com/openemr/openemr/security/advisories/GHSA-g77x-9p3x-2j8f"}, {"name": "https://github.com/openemr/openemr/commit/95e6078889b5399b12b59117f998560cd94bd47d", "tags": ["x_refsource_MISC"], "url": "https://github.com/openemr/openemr/commit/95e6078889b5399b12b59117f998560cd94bd47d"}, {"name": "https://github.com/openemr/openemr/releases/tag/v8_0_0_3", "tags": ["x_refsource_MISC"], "url": "https://github.com/openemr/openemr/releases/tag/v8_0_0_3"}], "affected": [{"vendor": "openemr", "product": "openemr", "versions": [{"version": "< 8.0.0.3", "status": "affected"}]}], "providerMetadata": {"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "shortName": "GitHub_M", "dateUpdated": "2026-03-25T23:37:58.427Z"}, "descriptions": [{"lang": "en", "value": "OpenEMR is a free and open source electronic health records and medical practice management application. Prior to version 8.0.0.3, a stored cross-site scripting vulnerability in the CCDA document preview allows an attacker who can upload or send a CCDA document to execute arbitrary JavaScript in a clinician's browser session when the document is previewed. The XSL stylesheet sanitizes attributes for all other narrative elements but not for `linkHtml`, allowing `href=\"javascript:...\"` and event handler attributes to pass through unchanged. Version 8.0.0.3 patches the issue."}], "source": {"advisory": "GHSA-g77x-9p3x-2j8f", "discovery": "UNKNOWN"}}, "adp": [{"metrics": [{"other": {"type": "ssvc", "content": {"timestamp": "2026-03-30T13:19:22.777284Z", "id": "CVE-2026-33932", "options": [{"Exploitation": "none"}, {"Automatable": "no"}, {"Technical Impact": "partial"}], "role": "CISA Coordinator", "version": "2.0.3"}}}], "title": "CISA ADP Vulnrichment", "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2026-03-30T14:56:39.996Z"}}]}}

{"dataType": "CVE_RECORD", "containers": {"adp": [{"title": "CISA ADP Vulnrichment", "metrics": [{"other": {"type": "ssvc", "content": {"id": "CVE-2026-33932", "role": "CISA Coordinator", "options": [{"Exploitation": "none"}, {"Automatable": "no"}, {"Technical Impact": "partial"}], "version": "2.0.3", "timestamp": "2026-03-30T13:19:22.777284Z"}}}], "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2026-03-30T13:19:16.950Z"}}], "cna": {"title": "OpenEMR has Stored XSS in CCDA Preview via Unsanitized linkHtml Attributes", "source": {"advisory": "GHSA-g77x-9p3x-2j8f", "discovery": "UNKNOWN"}, "metrics": [{"cvssV3_1": {"scope": "CHANGED", "version": "3.1", "baseScore": 7.6, "attackVector": "NETWORK", "baseSeverity": "HIGH", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:H/I:L/A:N", "integrityImpact": "LOW", "userInteraction": "REQUIRED", "attackComplexity": "LOW", "availabilityImpact": "NONE", "privilegesRequired": "LOW", "confidentialityImpact": "HIGH"}}], "affected": [{"vendor": "openemr", "product": "openemr", "versions": [{"status": "affected", "version": "< 8.0.0.3"}]}], "references": [{"url": "https://github.com/openemr/openemr/security/advisories/GHSA-g77x-9p3x-2j8f", "name": "https://github.com/openemr/openemr/security/advisories/GHSA-g77x-9p3x-2j8f", "tags": ["x_refsource_CONFIRM"]}, {"url": "https://github.com/openemr/openemr/commit/95e6078889b5399b12b59117f998560cd94bd47d", "name": "https://github.com/openemr/openemr/commit/95e6078889b5399b12b59117f998560cd94bd47d", "tags": ["x_refsource_MISC"]}, {"url": "https://github.com/openemr/openemr/releases/tag/v8_0_0_3", "name": "https://github.com/openemr/openemr/releases/tag/v8_0_0_3", "tags": ["x_refsource_MISC"]}], "descriptions": [{"lang": "en", "value": "OpenEMR is a free and open source electronic health records and medical practice management application. Prior to version 8.0.0.3, a stored cross-site scripting vulnerability in the CCDA document preview allows an attacker who can upload or send a CCDA document to execute arbitrary JavaScript in a clinician's browser session when the document is previewed. The XSL stylesheet sanitizes attributes for all other narrative elements but not for `linkHtml`, allowing `href=\"javascript:...\"` and event handler attributes to pass through unchanged. Version 8.0.0.3 patches the issue."}], "problemTypes": [{"descriptions": [{"lang": "en", "type": "CWE", "cweId": "CWE-79", "description": "CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')"}]}], "providerMetadata": {"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "shortName": "GitHub_M", "dateUpdated": "2026-03-25T23:37:58.427Z"}}}, "cveMetadata": {"cveId": "CVE-2026-33932", "state": "PUBLISHED", "dateUpdated": "2026-03-30T14:56:39.996Z", "dateReserved": "2026-03-24T19:50:52.103Z", "assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "datePublished": "2026-03-25T23:37:58.427Z", "assignerShortName": "GitHub_M"}, "dataVersion": "5.2"}

{"configurations": [{"nodes": [{"cpeMatch": [{"criteria": "cpe:2.3:a:open-emr:openemr:*:*:*:*:*:*:*:*", "matchCriteriaId": "E3E098AF-42A1-4798-85A7-80052F19F809", "versionEndExcluding": "8.0.0.3", "vulnerable": true}], "negate": false, "operator": "OR"}]}], "cveTags": [], "descriptions": [{"lang": "en", "value": "OpenEMR is a free and open source electronic health records and medical practice management application. Prior to version 8.0.0.3, a stored cross-site scripting vulnerability in the CCDA document preview allows an attacker who can upload or send a CCDA document to execute arbitrary JavaScript in a clinician's browser session when the document is previewed. The XSL stylesheet sanitizes attributes for all other narrative elements but not for `linkHtml`, allowing `href=\"javascript:...\"` and event handler attributes to pass through unchanged. Version 8.0.0.3 patches the issue."}], "id": "CVE-2026-33932", "lastModified": "2026-03-26T16:27:53.530", "metrics": {"cvssMetricV31": [{"cvssData": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "NONE", "baseScore": 7.6, "baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "integrityImpact": "LOW", "privilegesRequired": "LOW", "scope": "CHANGED", "userInteraction": "REQUIRED", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:H/I:L/A:N", "version": "3.1"}, "exploitabilityScore": 2.3, "impactScore": 4.7, "source": "security-advisories@github.com", "type": "Secondary"}, {"cvssData": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "NONE", "baseScore": 5.4, "baseSeverity": "MEDIUM", "confidentialityImpact": "LOW", "integrityImpact": "LOW", "privilegesRequired": "LOW", "scope": "CHANGED", "userInteraction": "REQUIRED", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N", "version": "3.1"}, "exploitabilityScore": 2.3, "impactScore": 2.7, "source": "nvd@nist.gov", "type": "Primary"}]}, "published": "2026-03-26T00:16:39.953", "references": [{"source": "security-advisories@github.com", "tags": ["Patch"], "url": "https://github.com/openemr/openemr/commit/95e6078889b5399b12b59117f998560cd94bd47d"}, {"source": "security-advisories@github.com", "tags": ["Product"], "url": "https://github.com/openemr/openemr/releases/tag/v8_0_0_3"}, {"source": "security-advisories@github.com", "tags": ["Vendor Advisory"], "url": "https://github.com/openemr/openemr/security/advisories/GHSA-g77x-9p3x-2j8f"}], "sourceIdentifier": "security-advisories@github.com", "vulnStatus": "Analyzed", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-79"}], "source": "security-advisories@github.com", "type": "Primary"}]}

{}

{"affected": [{"configurations": [{"platform": null, "status": "affected", "versions": {"scheme": "generic", "value": "[0,8.0.0.3)"}}], "enrichment": {"confidence": 100.0, "confidence_source": "matching", "scores": [{"score": 100.0, "source": "matching"}]}, "original": {"product": "openemr", "source": "cna", "vendor": "openemr"}, "product": "openemr", "vendor": "openemr"}], "analysis": {"en": {"generated_at": "2026-03-26T18:06:18.837159+00:00", "value": {"mitigation_remediation": ["Upgrade to OpenEMR 8.0.0.3 or later to receive the patch that sanitizes linkHtml attributes.", "If an upgrade cannot be performed immediately, disable the CCDA preview feature or restrict its use to trusted users only.", "As a temporary measure, review or sanitize any CCDA documents before previewing to remove malicious linkHtml attributes."], "summary": {"action": "Immediate Patch", "impact": "Client\u2011Side Stored XSS"}, "threat_synthesis": {"affected_systems": "The flaw affects all OpenEMR installations whose version is earlier than 8.0.0.3. The issue was fixed in commit 95e6078 and rolled into the 8.0.0.3 release, so any release at or above that version is no longer vulnerable.", "description_and_impact": "OpenEMR is susceptible to a stored cross\u2011site scripting flaw in the CCDA document preview. The XSL stylesheet sanitizes most narrative elements but mistakenly leaves the linkHtml attribute unsanitized, allowing an attacker to embed a malicious href such as javascript:\u2026 or event handler attributes. When a clinician opens the preview, the attacker\u2019s script runs in the user\u2019s browser, granting client\u2011side code execution that can hijack the session, exfiltrate data, or perform other malicious actions. The weakness is classified as CWE\u201179.", "risk_and_exploitability": "This vulnerability carries a CVSS score of 7.6, indicating high severity. However, the EPSS score is below 1\u202f%, suggesting a low probability of exploitation at the moment, and it is not listed in the CISA KEV catalog. An attacker must be able to supply a CCDA document to the target system\u2014either by uploading or by forwarding the file\u2014and the victim must subsequently view the preview for the payload to execute. Because the attack vector is limited to client\u2011side actions, the risk to the system is largely confined to the compromised user\u2019s session."}}}}, "created": "2026-03-26T11:31:07.644689+00:00", "updated": "2026-03-27T09:29:19.821433+00:00", "vendors": ["openemr", "openemr$PRODUCT$openemr"]}