Description

OpenEMR is a free and open source electronic health records and medical practice management application. Versions prior to 8.0.0.2 are vulnerable to stored cross-site scripting (XSS) via unescaped `portal_login_username` in the portal credential print view. A patient portal user can set their login username to an XSS payload, which then executes in a clinic staff member's browser when they open the "Create Portal Login" page for that patient. This crosses from the patient session context into the staff/admin session context. Version 8.0.0.2 fixes the issue.

INFO

Published Date :

2026-03-19T20:25:05.823Z

Last Modified :

2026-03-19T20:25:05.823Z

Source :

GitHub_M
AFFECTED PRODUCTS

The following products are affected by CVE-2026-33303 vulnerability.

Vendors Products
Open-emr
  • Openemr
Openemr
  • Openemr
REFERENCES

Here, you will find a curated list of external links that provide in-depth information to CVE-2026-33303.

URL Resource
https://github.com/openemr/openemr/commit/c32139b5144b1c704015221520ad2f931e25f10d cve-icon cve-icon
https://github.com/openemr/openemr/security/advisories/GHSA-cp37-pmfx-5mhm cve-icon cve-icon
Login to claim this CVE

CVSS Vulnerability Scoring System

Detailed values of each vector for above chart.
Attack Vector
Attack Complexity
Privileges Required
User Interaction
Scope
Confidentiality Impact
Integrity Impact
Availability Impact