Platform
php
Component
openemr
Fixed in
8.0.1
CVE-2026-33346 describes a stored cross-site scripting (XSS) vulnerability within the OpenEMR patient portal payment flow. This vulnerability allows a malicious patient portal user to inject and persist arbitrary JavaScript code. This code then executes in the browser of a staff member when they review the payment submission, potentially leading to account compromise or data theft. The vulnerability affects OpenEMR versions prior to 8.0.0.2, and a patch is available in version 8.0.0.2.
The impact of this XSS vulnerability is significant, as it allows attackers to execute arbitrary JavaScript code within the context of a staff user's session. This could enable attackers to steal sensitive patient data, including Protected Health Information (PHI), manipulate payment records, or even gain unauthorized access to the OpenEMR system. The stored nature of the vulnerability means the malicious payload persists, potentially affecting multiple staff members over time. Successful exploitation could lead to regulatory fines (HIPAA), reputational damage, and disruption of healthcare services. While no direct precedent exists for this specific OpenEMR vulnerability, XSS vulnerabilities in healthcare applications are a known attack vector, and the potential for data exfiltration and system compromise is high.
CVE-2026-33346 was publicly disclosed on 2026-03-19. There is currently no indication of active exploitation in the wild, and it is not listed on the CISA KEV catalog. The availability of a public proof-of-concept is currently unknown. Given the relatively recent disclosure and the potential impact, organizations should prioritize patching to prevent potential exploitation.
Exploit Status
EPSS
0.04% (14% percentile)
CISA SSVC
The primary mitigation for CVE-2026-33346 is to immediately upgrade OpenEMR to version 8.0.0.2 or later. If upgrading is not immediately feasible, consider implementing temporary workarounds such as strict input validation and output encoding on the portal/lib/paylib.php and portal/portal_payment.php files. Web application firewalls (WAFs) configured to detect and block XSS payloads targeting these specific files can also provide a layer of protection. Regularly review OpenEMR logs for suspicious activity, particularly related to patient portal payments, and implement a robust security monitoring system. After upgrading, confirm the fix by attempting to submit a payment with a known malicious JavaScript payload and verifying that it is properly sanitized and does not execute.
Actualice OpenEMR a la versión 8.0.0.2 o superior. Esta versión corrige la vulnerabilidad XSS almacenada en el flujo de pago del portal del paciente.
Vulnerability analysis and critical alerts directly to your inbox.
CVE-2026-33346 is a stored cross-site scripting (XSS) vulnerability in OpenEMR's patient portal payment flow, allowing attackers to inject malicious JavaScript.
You are affected if you are using OpenEMR versions prior to 8.0.0.2 and have a patient portal enabled.
Upgrade OpenEMR to version 8.0.0.2 or later. Consider temporary workarounds like input validation and WAF rules if immediate upgrade is not possible.
There is currently no indication of active exploitation in the wild, but organizations should prioritize patching.
Refer to the OpenEMR security advisories page for the latest information: [https://www.openemr.org/security/](https://www.openemr.org/security/)
CVSS Vector
Upload your dependency file and we'll tell you instantly if this and other CVEs hit you.