CVE-2026-33933 (GCVE-0-2026-33933)
Vulnerability from cvelistv5 – Published: 2026-03-25 23:40 – Updated: 2026-03-26 14:23
VLAI?
Title
Reflected XSS via Unescaped contextName Parameter in Custom Template Editor
Summary
OpenEMR is a free and open source electronic health records and medical practice management application. Starting in version 7.0.2.1 and prior to version 8.0.0.3, a reflected cross-site scripting (XSS) vulnerability in the custom template editor allows an attacker to execute arbitrary JavaScript in an authenticated staff member's browser session by sending them a crafted URL. The attacker does not need an OpenEMR account. Version 8.0.0.3 patches the issue.
Severity ?
6.1 (Medium)
CWE
- CWE-79 - Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')
Assigner
References
| URL | Tags | |||||||||||||
|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
|
||||||||||||||
{
"containers": {
"adp": [
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2026-33933",
"options": [
{
"Exploitation": "poc"
},
{
"Automatable": "no"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2026-03-26T14:23:26.710975Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2026-03-26T14:23:30.021Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"references": [
{
"tags": [
"exploit"
],
"url": "https://github.com/openemr/openemr/security/advisories/GHSA-9qh7-cfq4-j7c3"
}
],
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"product": "openemr",
"vendor": "openemr",
"versions": [
{
"status": "affected",
"version": "\u003e= 7.0.2.1, \u003c 8.0.0.3"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "OpenEMR is a free and open source electronic health records and medical practice management application. Starting in version 7.0.2.1 and prior to version 8.0.0.3, a reflected cross-site scripting (XSS) vulnerability in the custom template editor allows an attacker to execute arbitrary JavaScript in an authenticated staff member\u0027s browser session by sending them a crafted URL. The attacker does not need an OpenEMR account. Version 8.0.0.3 patches the issue."
}
],
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 6.1,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "LOW",
"integrityImpact": "LOW",
"privilegesRequired": "NONE",
"scope": "CHANGED",
"userInteraction": "REQUIRED",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N",
"version": "3.1"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-79",
"description": "CWE-79: Improper Neutralization of Input During Web Page Generation (\u0027Cross-site Scripting\u0027)",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2026-03-25T23:40:16.193Z",
"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"shortName": "GitHub_M"
},
"references": [
{
"name": "https://github.com/openemr/openemr/security/advisories/GHSA-9qh7-cfq4-j7c3",
"tags": [
"x_refsource_CONFIRM"
],
"url": "https://github.com/openemr/openemr/security/advisories/GHSA-9qh7-cfq4-j7c3"
},
{
"name": "https://github.com/openemr/openemr/commit/d5c8d49ef19983472b2d7db0dbebd2dac9d6a200",
"tags": [
"x_refsource_MISC"
],
"url": "https://github.com/openemr/openemr/commit/d5c8d49ef19983472b2d7db0dbebd2dac9d6a200"
},
{
"name": "https://github.com/openemr/openemr/commit/de9b6eb0da574430e8223c014cf4a05b0adc29d8",
"tags": [
"x_refsource_MISC"
],
"url": "https://github.com/openemr/openemr/commit/de9b6eb0da574430e8223c014cf4a05b0adc29d8"
},
{
"name": "https://github.com/openemr/openemr/releases/tag/v8_0_0_3",
"tags": [
"x_refsource_MISC"
],
"url": "https://github.com/openemr/openemr/releases/tag/v8_0_0_3"
}
],
"source": {
"advisory": "GHSA-9qh7-cfq4-j7c3",
"discovery": "UNKNOWN"
},
"title": "Reflected XSS via Unescaped contextName Parameter in Custom Template Editor"
}
},
"cveMetadata": {
"assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"assignerShortName": "GitHub_M",
"cveId": "CVE-2026-33933",
"datePublished": "2026-03-25T23:40:16.193Z",
"dateReserved": "2026-03-24T19:50:52.103Z",
"dateUpdated": "2026-03-26T14:23:30.021Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2",
"vulnerability-lookup:meta": {
"epss": {
"cve": "CVE-2026-33933",
"date": "2026-04-16",
"epss": "0.00024",
"percentile": "0.06497"
},
"nvd": "{\"cve\":{\"id\":\"CVE-2026-33933\",\"sourceIdentifier\":\"security-advisories@github.com\",\"published\":\"2026-03-26T00:16:40.120\",\"lastModified\":\"2026-03-26T16:17:56.660\",\"vulnStatus\":\"Analyzed\",\"cveTags\":[],\"descriptions\":[{\"lang\":\"en\",\"value\":\"OpenEMR is a free and open source electronic health records and medical practice management application. Starting in version 7.0.2.1 and prior to version 8.0.0.3, a reflected cross-site scripting (XSS) vulnerability in the custom template editor allows an attacker to execute arbitrary JavaScript in an authenticated staff member\u0027s browser session by sending them a crafted URL. The attacker does not need an OpenEMR account. Version 8.0.0.3 patches the issue.\"},{\"lang\":\"es\",\"value\":\"OpenEMR es una aplicaci\u00f3n gratuita y de c\u00f3digo abierto de registros de salud electr\u00f3nicos y gesti\u00f3n de consultorios m\u00e9dicos. A partir de la versi\u00f3n 7.0.2.1 y antes de la versi\u00f3n 8.0.0.3, una vulnerabilidad de cross-site scripting (XSS) reflejado en el editor de plantillas personalizadas permite a un atacante ejecutar JavaScript arbitrario en la sesi\u00f3n del navegador de un miembro del personal autenticado envi\u00e1ndoles una URL manipulada. El atacante no necesita una cuenta de OpenEMR. La versi\u00f3n 8.0.0.3 corrige el problema.\"}],\"metrics\":{\"cvssMetricV31\":[{\"source\":\"security-advisories@github.com\",\"type\":\"Secondary\",\"cvssData\":{\"version\":\"3.1\",\"vectorString\":\"CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N\",\"baseScore\":6.1,\"baseSeverity\":\"MEDIUM\",\"attackVector\":\"NETWORK\",\"attackComplexity\":\"LOW\",\"privilegesRequired\":\"NONE\",\"userInteraction\":\"REQUIRED\",\"scope\":\"CHANGED\",\"confidentialityImpact\":\"LOW\",\"integrityImpact\":\"LOW\",\"availabilityImpact\":\"NONE\"},\"exploitabilityScore\":2.8,\"impactScore\":2.7}]},\"weaknesses\":[{\"source\":\"security-advisories@github.com\",\"type\":\"Secondary\",\"description\":[{\"lang\":\"en\",\"value\":\"CWE-79\"}]}],\"configurations\":[{\"nodes\":[{\"operator\":\"OR\",\"negate\":false,\"cpeMatch\":[{\"vulnerable\":true,\"criteria\":\"cpe:2.3:a:open-emr:openemr:*:*:*:*:*:*:*:*\",\"versionStartIncluding\":\"7.0.2.1\",\"versionEndExcluding\":\"8.0.0.3\",\"matchCriteriaId\":\"37A001F6-4070-4BC4-8A5A-B4CCEA856E39\"}]}]}],\"references\":[{\"url\":\"https://github.com/openemr/openemr/commit/d5c8d49ef19983472b2d7db0dbebd2dac9d6a200\",\"source\":\"security-advisories@github.com\",\"tags\":[\"Patch\"]},{\"url\":\"https://github.com/openemr/openemr/commit/de9b6eb0da574430e8223c014cf4a05b0adc29d8\",\"source\":\"security-advisories@github.com\",\"tags\":[\"Patch\"]},{\"url\":\"https://github.com/openemr/openemr/releases/tag/v8_0_0_3\",\"source\":\"security-advisories@github.com\",\"tags\":[\"Product\"]},{\"url\":\"https://github.com/openemr/openemr/security/advisories/GHSA-9qh7-cfq4-j7c3\",\"source\":\"security-advisories@github.com\",\"tags\":[\"Exploit\",\"Vendor Advisory\"]},{\"url\":\"https://github.com/openemr/openemr/security/advisories/GHSA-9qh7-cfq4-j7c3\",\"source\":\"134c704f-9b21-4f2e-91b3-4a467353bcc0\",\"tags\":[\"Exploit\",\"Vendor Advisory\"]}]}}",
"vulnrichment": {
"containers": "{\"adp\": [{\"title\": \"CISA ADP Vulnrichment\", \"metrics\": [{\"other\": {\"type\": \"ssvc\", \"content\": {\"id\": \"CVE-2026-33933\", \"role\": \"CISA Coordinator\", \"options\": [{\"Exploitation\": \"poc\"}, {\"Automatable\": \"no\"}, {\"Technical Impact\": \"partial\"}], \"version\": \"2.0.3\", \"timestamp\": \"2026-03-26T14:23:26.710975Z\"}}}], \"references\": [{\"url\": \"https://github.com/openemr/openemr/security/advisories/GHSA-9qh7-cfq4-j7c3\", \"tags\": [\"exploit\"]}], \"providerMetadata\": {\"orgId\": \"134c704f-9b21-4f2e-91b3-4a467353bcc0\", \"shortName\": \"CISA-ADP\", \"dateUpdated\": \"2026-03-26T14:23:22.033Z\"}}], \"cna\": {\"title\": \"Reflected XSS via Unescaped contextName Parameter in Custom Template Editor\", \"source\": {\"advisory\": \"GHSA-9qh7-cfq4-j7c3\", \"discovery\": \"UNKNOWN\"}, \"metrics\": [{\"cvssV3_1\": {\"scope\": \"CHANGED\", \"version\": \"3.1\", \"baseScore\": 6.1, \"attackVector\": \"NETWORK\", \"baseSeverity\": \"MEDIUM\", \"vectorString\": \"CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N\", \"integrityImpact\": \"LOW\", \"userInteraction\": \"REQUIRED\", \"attackComplexity\": \"LOW\", \"availabilityImpact\": \"NONE\", \"privilegesRequired\": \"NONE\", \"confidentialityImpact\": \"LOW\"}}], \"affected\": [{\"vendor\": \"openemr\", \"product\": \"openemr\", \"versions\": [{\"status\": \"affected\", \"version\": \"\u003e= 7.0.2.1, \u003c 8.0.0.3\"}]}], \"references\": [{\"url\": \"https://github.com/openemr/openemr/security/advisories/GHSA-9qh7-cfq4-j7c3\", \"name\": \"https://github.com/openemr/openemr/security/advisories/GHSA-9qh7-cfq4-j7c3\", \"tags\": [\"x_refsource_CONFIRM\"]}, {\"url\": \"https://github.com/openemr/openemr/commit/d5c8d49ef19983472b2d7db0dbebd2dac9d6a200\", \"name\": \"https://github.com/openemr/openemr/commit/d5c8d49ef19983472b2d7db0dbebd2dac9d6a200\", \"tags\": [\"x_refsource_MISC\"]}, {\"url\": \"https://github.com/openemr/openemr/commit/de9b6eb0da574430e8223c014cf4a05b0adc29d8\", \"name\": \"https://github.com/openemr/openemr/commit/de9b6eb0da574430e8223c014cf4a05b0adc29d8\", \"tags\": [\"x_refsource_MISC\"]}, {\"url\": \"https://github.com/openemr/openemr/releases/tag/v8_0_0_3\", \"name\": \"https://github.com/openemr/openemr/releases/tag/v8_0_0_3\", \"tags\": [\"x_refsource_MISC\"]}], \"descriptions\": [{\"lang\": \"en\", \"value\": \"OpenEMR is a free and open source electronic health records and medical practice management application. Starting in version 7.0.2.1 and prior to version 8.0.0.3, a reflected cross-site scripting (XSS) vulnerability in the custom template editor allows an attacker to execute arbitrary JavaScript in an authenticated staff member\u0027s browser session by sending them a crafted URL. The attacker does not need an OpenEMR account. Version 8.0.0.3 patches the issue.\"}], \"problemTypes\": [{\"descriptions\": [{\"lang\": \"en\", \"type\": \"CWE\", \"cweId\": \"CWE-79\", \"description\": \"CWE-79: Improper Neutralization of Input During Web Page Generation (\u0027Cross-site Scripting\u0027)\"}]}], \"providerMetadata\": {\"orgId\": \"a0819718-46f1-4df5-94e2-005712e83aaa\", \"shortName\": \"GitHub_M\", \"dateUpdated\": \"2026-03-25T23:40:16.193Z\"}}}",
"cveMetadata": "{\"cveId\": \"CVE-2026-33933\", \"state\": \"PUBLISHED\", \"dateUpdated\": \"2026-03-26T14:23:30.021Z\", \"dateReserved\": \"2026-03-24T19:50:52.103Z\", \"assignerOrgId\": \"a0819718-46f1-4df5-94e2-005712e83aaa\", \"datePublished\": \"2026-03-25T23:40:16.193Z\", \"assignerShortName\": \"GitHub_M\"}",
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
}
}
Loading…
Loading…
Sightings
| Author | Source | Type | Date |
|---|
Nomenclature
- Seen: The vulnerability was mentioned, discussed, or observed by the user.
- Confirmed: The vulnerability has been validated from an analyst's perspective.
- Published Proof of Concept: A public proof of concept is available for this vulnerability.
- Exploited: The vulnerability was observed as exploited by the user who reported the sighting.
- Patched: The vulnerability was observed as successfully patched by the user who reported the sighting.
- Not exploited: The vulnerability was not observed as exploited by the user who reported the sighting.
- Not confirmed: The user expressed doubt about the validity of the vulnerability.
- Not patched: The vulnerability was not observed as successfully patched by the user who reported the sighting.
Loading…
Loading…