OpenEMR is a free and open source electronic health records and medical practice management application. Versions prior to 8.0.0.2 are vulnerable to stored cross-site scripting (XSS) via unescaped `portal_login_username` in the portal credential print view. A patient portal user can set their login username to an XSS payload, which then executes in a clinic staff member's browser when they open the "Create Portal Login" page for that patient. This crosses from the patient session context into the staff/admin session context. Version 8.0.0.2 fixes the issue.
References
| Link | Resource |
|---|---|
| https://github.com/openemr/openemr/commit/c32139b5144b1c704015221520ad2f931e25f10d | Patch |
| https://github.com/openemr/openemr/security/advisories/GHSA-cp37-pmfx-5mhm | Exploit Vendor Advisory |
Configurations
History
20 Mar 2026, 15:07
| Type | Values Removed | Values Added |
|---|---|---|
| CPE | cpe:2.3:a:open-emr:openemr:*:*:*:*:*:*:*:* | |
| References | () https://github.com/openemr/openemr/commit/c32139b5144b1c704015221520ad2f931e25f10d - Patch | |
| References | () https://github.com/openemr/openemr/security/advisories/GHSA-cp37-pmfx-5mhm - Exploit, Vendor Advisory | |
| First Time |
Open-emr openemr
Open-emr |
19 Mar 2026, 21:17
| Type | Values Removed | Values Added |
|---|---|---|
| New CVE |
Information
Published : 2026-03-19 21:17
Updated : 2026-03-20 15:07
NVD link : CVE-2026-33303
Mitre link : CVE-2026-33303
CVE.ORG link : CVE-2026-33303
JSON object : View
Products Affected
open-emr
- openemr
CWE
CWE-79
Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')