CVE-2026-33933
MEDIUMReflected XSS via Unescaped contextName Parameter in Custom Template Editor
Title source: cnaDescription
OpenEMR is a free and open source electronic health records and medical practice management application. Starting in version 7.0.2.1 and prior to version 8.0.0.3, a reflected cross-site scripting (XSS) vulnerability in the custom template editor allows an attacker to execute arbitrary JavaScript in an authenticated staff member's browser session by sending them a crafted URL. The attacker does not need an OpenEMR account. Version 8.0.0.3 patches the issue.
References (4)
Core 4
Core References
X_Refsource_Confirm x_refsource_confirm
https://github.com/openemr/openemr/security/advisories/GHSA-9qh7-cfq4-j7c3
X_Refsource_Misc x_refsource_misc
https://github.com/openemr/openemr/commit/d5c8d49ef19983472b2d7db0dbebd2dac9d6a200
X_Refsource_Misc x_refsource_misc
https://github.com/openemr/openemr/commit/de9b6eb0da574430e8223c014cf4a05b0adc29d8
X_Refsource_Misc x_refsource_misc
https://github.com/openemr/openemr/releases/tag/v8_0_0_3
Scores
CVSS v3
6.1
EPSS
0.0027
EPSS Percentile
18.5%
Attack Vector
NETWORK
CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N
CISA SSVC
Vulnrichment
Exploitation
poc
Automatable
no
Technical Impact
partial
Details
CWE
CWE-79
Status
published
Products (2)
open-emr/openemr
7.0.2.1 - 8.0.0.3
openemr/openemr
>= 7.0.2.1, < 8.0.0.3
Published
Mar 26, 2026
Tracked Since
Mar 26, 2026