CVE-2026-33346 - Vulnerability Analysis
HighCVSS: 8.7Last Updated: March 19, 2026
OpenEMR - Stored XSS
Overview
OpenEMR < 8.0.0.2 contains a stored XSS caused by improper escaping of user input in portal payment flow, letting patient portal users execute arbitrary JavaScript in staff member browsers, exploit requires patient portal access.
Severity & Score
Impact
Patient portal users can execute arbitrary JavaScript in staff browsers, potentially leading to session hijacking or unauthorized actions.
Mitigation
Update to version 8.0.0.2 or later.
References
Social Media Activity(2 posts)
š CVE-2026-33346 - High (8.7) OpenEMR is a free and open source electronic health records and medical practice management application. Prior to 8.0.0.2, a stored cross-site scripting (XSS) vulnerability in the patient portal payment flow allows a patient portal user to persist... š https://www.thehackerwire.com/vulnerability/CVE-2026-33346/ #CVE #vulnerability #infosec #cybersecurity #security #Tenda #patchstack
View original post
š CVE-2026-33346 - High (8.7) OpenEMR is a free and open source electronic health records and medical practice management application. Prior to 8.0.0.2, a stored cross-site scripting (XSS) vulnerability in the patient portal payment flow allows a patient portal user to persist... š https://www.thehackerwire.com/vulnerability/CVE-2026-33346/ #CVE #vulnerability #infosec #cybersecurity #security #Tenda #patchstack
View original postRelated Resources
Details
- CVE ID
- CVE-2026-33346
- Severity
- High
- CVSS Score
- 8.7
- Type
- stored_xss
- Status
- new
- EPSS
- 0.0%
- Social Posts
- 2
CWE
- CWE-79
CVSS Metrics
CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:H/I:H/A:N