Home / Vulnerability Intelligence / CVE-2026-33348

CVE-2026-33348 - Vulnerability Analysis

HighCVSS: 8.7

Last Updated: March 26, 2026

OpenEMR - Stored XSS

Published: March 25, 2026Updated: March 26, 2026PoC AvailableRemote Exploitable

Overview

OpenEMR < 8.0.0.3 contains a stored cross-site scripting vulnerability caused by improper sanitization of Eye Exam form answers, letting authenticated users with 'Notes - my encounters' role execute arbitrary JavaScript, exploit requires specific role.

Severity & Score

Severity: High

CVSS Score: 8.7

EPSS Score: 6.9%(Probability of exploitation in next 30 days)

Impact

Authenticated users with the role can execute arbitrary JavaScript, potentially leading to session hijacking or unauthorized actions.

Mitigation

Update to version 8.0.0.3 or later.

References

Social Media Activity(1 post)

TheHackerWire

@thehackerwire

Mar 25, 2026

🟠 CVE-2026-33348 - High (8.7) OpenEMR is a free and open source electronic health records and medical practice management application. Users with the `Notes - my encounters` role can fill Eye Exam forms in patient encounters. The answers to the form are displayed on the en... 🔗 https://www.thehackerwire.com/vulnerability/CVE-2026-33348/ #CVE #vulnerability #infosec #cybersecurity #security #Tenda #patchstack

View original post

Related Resources

Details

CVE ID: CVE-2026-33348
Severity: High
CVSS Score: 8.7
Type: stored_xss
Status: confirmed
EPSS: 6.9%
Social Posts: 1

CWE

CWE-79

CVSS Metrics

CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:H/I:H/A:N

EPSS Score

6.9%Probability of exploitation in the next 30 days