SB20260423170 - Multiple vulnerabilities in OpenEMR
Published: April 23, 2026 Updated: April 30, 2026
Breakdown by Severity
- Low
- Medium
- High
- Critical
Description
This security bulletin contains information about 13 vulnerabilities.
1) Cross-site scripting (CVE-ID: CVE-2026-33299)
CWE-ID: CWE-79 - Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')
CVSSv4: CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:P/VC:N/VI:N/VA:N/SC:L/SI:L/SA:N/E:U/U:Clear
The vulnerability allows a remote user to execute arbitrary JavaScript in another user's browser.
The vulnerability exists due to cross-site scripting in the Eye Exam form answer display function when rendering stored form answers on patient encounter pages or visit history. A remote user can submit a malicious form answer to execute arbitrary JavaScript in another user's browser.
User interaction is required, and the injected script executes when a user with the relevant form role views the affected encounter content or visit history.
2) Missing Authorization (CVE-ID: CVE-2026-33305)
CWE-ID: CWE-862 - Missing Authorization
CVSSv4: CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:L/VI:L/VA:N/SC:N/SI:N/SA:N/E:U/U:Clear
The vulnerability allows a remote user to disclose sensitive information and modify configuration data.
The vulnerability exists due to missing authorization in the FaxSMS AppDispatch constructor and action dispatch mechanism when handling requests with the _ACTION_COMMAND parameter. A remote user can send a specially crafted request to disclose sensitive information and modify configuration data.
Only installations with the optional oe-module-faxsms module enabled are vulnerable.
3) Authorization bypass through user-controlled key (CVE-ID: CVE-2026-33304)
CWE-ID: CWE-639 - Authorization Bypass Through User-Controlled Key
CVSSv4: CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:H/VI:N/VA:N/SC:N/SI:N/SA:N/E:U/U:Clear
The vulnerability allows a remote user to disclose sensitive information.
The vulnerability exists due to authorization bypass through user-controlled key in dated reminders log page when handling crafted GET requests with arbitrary sentTo[] or sentBy[] parameters. A remote user can send a specially crafted request to disclose sensitive information.
The issue exposes other users' reminder messages, including associated patient names and free-text message content.
4) Cross-site scripting (CVE-ID: CVE-2026-33303)
CWE-ID: CWE-79 - Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')
CVSSv4: CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:P/VC:N/VI:N/VA:N/SC:L/SI:L/SA:N/E:U/U:Clear
The vulnerability allows a remote user to execute arbitrary script in a clinic staff member's browser session.
The vulnerability exists due to cross-site scripting in the credential print view template when rendering a stored portal_login_username value into an HTML attribute without proper escaping. A remote user can set a crafted portal username and cause a staff member to open the patient's "Create Portal Login" page to execute arbitrary script in a clinic staff member's browser session.
User interaction is required, and the issue crosses from the patient portal session context into the staff or admin session context.
5) Cross-site scripting (CVE-ID: CVE-2026-32119)
CWE-ID: CWE-79 - Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')
CVSSv4: CVSS:4.0/AV:N/AC:L/AT:P/PR:L/UI:P/VC:N/VI:N/VA:N/SC:L/SI:L/SA:N/E:U/U:Clear
The vulnerability allows a remote user to execute arbitrary JavaScript in another user's browser session.
The vulnerability exists due to cross-site scripting in the SearchHighlight plugin in library/js/SearchHighlight.js when processing stored encounter-form text during single-word searches on the Custom Report page. A remote user can store crafted script content in a free-text encounter form field to execute arbitrary JavaScript in another user's browser session.
User interaction is required, and exploitation occurs only for encounter form content rendered inside search_div_* containers when the victim uses the single-word search feature on the Custom Report page.
6) OS Command Injection (CVE-ID: CVE-2026-32238)
CWE-ID: CWE-78 - Improper Neutralization of Special Elements used in an OS Command ('OS Command Injection')
CVSSv4: CVSS:4.0/AV:N/AC:L/AT:N/PR:H/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:U/U:Clear
The vulnerability allows a remote user to execute arbitrary code.
The vulnerability exists due to command injection in backup functionality in interface/main/backup.php when processing user-supplied backup selection values embedded in shell commands. A remote privileged user can send specially crafted backup parameters referencing attacker-controlled database values to execute arbitrary code.
Exploitation requires access to the backup functionality and the ability to place a payload in database fields such as list_options.option_id, list_options.list_id, layout_options.form_id, or layout_group_properties.grp_form_id.
7) Server-Side Request Forgery (SSRF) (CVE-ID: CVE-2026-33321)
CWE-ID: CWE-918 - Server-Side Request Forgery (SSRF)
CVSSv4: CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:H/VI:L/VA:L/SC:N/SI:N/SA:N/E:U/U:Clear
The vulnerability allows a remote user to perform server-side request forgery.
The vulnerability exists due to server-side request forgery in the Eye Exam PDF creation function when parsing attacker-controlled form answers as unescaped HTML during PDF generation. A remote user can submit a crafted Eye Exam form value and generate a PDF to perform server-side request forgery.
Exploitation requires an account with the Notes - my encounters role.
8) Authorization bypass through user-controlled key (CVE-ID: CVE-2026-25744)
CWE-ID: CWE-639 - Authorization Bypass Through User-Controlled Key
CVSSv4: CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:N/VI:H/VA:N/SC:N/SI:N/SA:N/E:U/U:Clear
The vulnerability allows a remote user to overwrite arbitrary patient vital records.
The vulnerability exists due to authorization bypass through a user-controlled key in the encounter vitals API endpoint when handling crafted POST requests containing an attacker-supplied vital id. A remote user can send a specially crafted request with another patient's vital id to overwrite arbitrary patient vital records.
The issue affects updates because the supplied vital record id is not verified as belonging to the specified patient or encounter.
9) Cross-site scripting (CVE-ID: CVE-2026-33346)
CWE-ID: CWE-79 - Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')
CVSSv4: CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:P/VC:N/VI:N/VA:N/SC:L/SI:L/SA:N/E:U/U:Clear
The vulnerability allows a remote user to execute arbitrary JavaScript in a staff member's browser.
The vulnerability exists due to cross-site scripting in portal/portal_payment.php when rendering stored payment submission data. A remote user can submit a specially crafted payment value to execute arbitrary JavaScript in a staff member's browser.
User interaction is required when a staff member reviews the payment submission in the portal activity queue.
CWE-ID: CWE-74 - Improper Neutralization of Special Elements in Output Used by a Downstream Component ('Injection')
CVSSv4: CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:H/VI:N/VA:N/SC:N/SI:N/SA:N/E:U/U:Clear
The vulnerability allows a remote user to disclose sensitive information.
The vulnerability exists due to improper neutralization of special elements in output used by a downstream component in the Eye Exam PDF creation function when parsing Eye Exam form answers as HTML during PDF generation. A remote user can submit crafted form content containing a file:// image reference to disclose sensitive information.
Exploitation requires an account with the Notes - my encounters role and access to the Eye Exam form in a patient encounter.
11) Missing Authorization (CVE-ID: CVE-2026-34053)
CWE-ID: CWE-862 - Missing Authorization
CVSSv4: CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:N/VI:H/VA:L/SC:N/SI:N/SA:N/E:U/U:Clear
The vulnerability allows a remote user to delete procedure orders, answers, and specimens for arbitrary patients.
The vulnerability exists due to improper access control in interface/forms/procedure_order/handle_deletions.php when handling crafted POST requests to the AJAX deletion endpoint. A remote user can send a specially crafted request with enumerated order_id, order_seq, or specimen_id values to delete procedure orders, answers, and specimens for arbitrary patients.
The endpoint requires an authenticated session and a valid CSRF token, but the identifiers are sequential integers that are trivial to enumerate.
12) Path traversal (CVE-ID: CVE-2026-25928)
CWE-ID: CWE-22 - Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal')
CVSSv4: CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:N/VI:H/VA:N/SC:N/SI:N/SA:N/E:U/U:Clear
The vulnerability allows a remote user to write files outside the intended directory.
The vulnerability exists due to path traversal in controllers/C_Document.class.php upload_action_process() and zip_dicom_folder() when processing a user-supplied destination parameter during DICOM folder zip export. A remote user can submit a specially crafted destination value containing traversal sequences to write files outside the intended directory.
If files are written under the web root, this may enable remote code execution. The issue affects the DICOM zip/export feature and requires DICOM upload/export permission.
13) Incorrect authorization (CVE-ID: CVE-2026-33302)
CWE-ID: CWE-863 - Incorrect Authorization
CVSSv4: CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:L/VI:H/VA:N/SC:N/SI:N/SA:N/E:U/U:Clear
The vulnerability allows a remote user to bypass authorization restrictions.
The vulnerability exists due to incorrect authorization in AclMain::zhAclCheck() when evaluating module ACL permissions. A remote user can rely on a group "allow" entry while an explicit user or group "deny" exists to bypass authorization restrictions.
Exploitation requires authentication and that the affected feature uses module ACL checks through zhAclCheck().
Remediation
Install update from vendor's website.
References
- https://github.com/openemr/openemr/security/advisories/GHSA-pgvq-f22q-2whp
- https://github.com/openemr/openemr/security/advisories/GHSA-r973-h5cq-35rc
- https://github.com/openemr/openemr/security/advisories/GHSA-66j9-ffq4-h222
- https://github.com/openemr/openemr/security/advisories/GHSA-cp37-pmfx-5mhm
- https://github.com/openemr/openemr/security/advisories/GHSA-q283-5j7f-r6hp
- https://github.com/openemr/openemr/security/advisories/GHSA-6pmc-3xm7-pm86
- https://github.com/openemr/openemr/security/advisories/GHSA-5pc3-2crw-96rv
- https://github.com/openemr/openemr/security/advisories/GHSA-mv9m-j65p-g55f
- https://github.com/openemr/openemr/security/advisories/GHSA-qvf6-6xc6-9qv7
- https://github.com/openemr/openemr/security/advisories/GHSA-v9v3-q973-xp2h
- https://github.com/openemr/openemr/security/advisories/GHSA-3vvq-pfq6-pw98
- https://github.com/openemr/openemr/security/advisories/GHSA-rppw-f689-6hrm
- https://github.com/openemr/openemr/security/advisories/GHSA-v68v-pwc4-8p2m