Main Vulnerability Database Vulnerabilities #VU127360

Cross-site scripting in OpenEMR - CVE-2026-33933

Published: April 23, 2026

Vulnerability identifier: #VU127360

CSH Severity: Medium

CVSS v4.0: CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:A/VC:N/VI:N/VA:N/SC:L/SI:L/SA:N/E:U/U:Green

CVE-ID: CVE-2026-33933

CWE-ID: CWE-79

Exploitation vector: Remote access

Exploit availability: No public exploit available

Vendor: OpenEMR

Affected software:
OpenEMR

Detailed vulnerability description

The vulnerability allows a remote attacker to execute arbitrary JavaScript in an authenticated staff member's browser session.

The vulnerability exists due to cross-site scripting in library/custom_template/custom_template.php when handling a crafted URL containing the contextName parameter. A remote attacker can send a specially crafted URL to execute arbitrary JavaScript in an authenticated staff member's browser session.

User interaction is required, and exploitation depends on the victim opening the crafted URL.

How to mitigate CVE-2026-33933

Install security update from vendor's website.

Sources

https://github.com/openemr/openemr/security/advisories/GHSA-9qh7-cfq4-j7c3

Cross-site scripting in OpenEMR - CVE-2026-33933

Detailed vulnerability description

How to mitigate CVE-2026-33933

Sources

Please verify you're human