CVE-2026-33346 Overview
A stored cross-site scripting (XSS) vulnerability has been identified in OpenEMR, a widely used free and open source electronic health records and medical practice management application. The vulnerability exists in the patient portal payment flow and allows a patient portal user to persist arbitrary JavaScript that executes in the browser of a staff member who reviews the payment submission.
The malicious payload is stored via portal/lib/paylib.php and rendered without proper escaping in portal/portal_payment.php. This vulnerability poses significant risk in healthcare environments where compromised staff accounts could lead to unauthorized access to sensitive patient health information.
Critical Impact
Attackers can execute arbitrary JavaScript in staff member browsers, potentially leading to session hijacking, credential theft, and unauthorized access to protected health information (PHI) within the OpenEMR system.
Affected Products
- OpenEMR versions prior to 8.0.0.2
- OpenEMR Patient Portal Payment Module
- OpenEMR installations with patient portal enabled
Discovery Timeline
- 2026-03-19 - CVE CVE-2026-33346 published to NVD
- 2026-03-19 - Last updated in NVD database
Technical Details for CVE-2026-33346
Vulnerability Analysis
This stored XSS vulnerability (CWE-79) represents a classic case of insufficient output encoding in a web application. The vulnerability occurs when user-controlled data from the payment submission flow is stored in the database and later rendered directly into a JavaScript context without proper sanitization or escaping.
The attack requires a valid patient portal account (low privileges) and user interaction from a staff member who must view the malicious payment submission. Once triggered, the JavaScript executes in the context of the staff member's authenticated session, potentially allowing the attacker to perform actions on behalf of the staff user, steal session tokens, or access sensitive patient data visible to that staff member.
Root Cause
The root cause is improper neutralization of input during web page generation. Specifically, the portal/portal_payment.php file directly embeds user-controlled data (table_args and checksum values) into inline JavaScript without using the appropriate escaping function (js_escape()). This allows attackers to break out of the JavaScript string context and inject arbitrary code.
Attack Vector
The attack vector is network-based and requires the attacker to have authenticated access to the patient portal. The attacker submits a payment with a crafted payload containing malicious JavaScript. When a staff member subsequently views this payment submission through the administrative interface, the stored JavaScript executes in their browser context.
// Vulnerable code in portal/portal_payment.php
if ($edata) {
$ccdata = json_decode($cryptoGen->decryptStandard($edata['checksum']), true);
$invdata = json_decode((string) $edata['table_args'], true);
- echo "<script>var jsondata='" . $edata['table_args'] . "';var ccdata='" . $edata['checksum'] . "'</script>";
+ echo "<script>var jsondata=" . js_escape($edata['table_args']) . ";var ccdata=" . js_escape($edata['checksum']) . "</script>";
}
// Display a row of data for an encounter.
Source: GitHub Commit Update
Detection Methods for CVE-2026-33346
Indicators of Compromise
- Unusual JavaScript patterns in payment submission data fields containing characters like </script>, <script>, or event handlers
- Unexpected network requests originating from staff browsers when viewing payment records
- Anomalous administrative actions performed by staff accounts following payment reviews
- Browser console errors indicating script execution failures from malformed XSS attempts
Detection Strategies
- Implement web application firewall (WAF) rules to detect XSS patterns in payment submission requests
- Monitor application logs for payment submissions containing HTML/JavaScript syntax
- Enable Content Security Policy (CSP) violation reporting to detect inline script execution attempts
- Review audit logs for unusual administrative actions following payment review workflows
Monitoring Recommendations
- Configure browser-based monitoring for unexpected DOM modifications during payment review sessions
- Implement server-side input validation logging to track potentially malicious submissions
- Monitor for session anomalies such as concurrent sessions or geographic impossibilities following payment reviews
- Enable real-time alerting on CSP violations from the patient portal and administrative interfaces
How to Mitigate CVE-2026-33346
Immediate Actions Required
- Upgrade OpenEMR to version 8.0.0.2 or later immediately
- Review existing payment submissions for potentially malicious payloads
- Audit staff account activity for signs of compromise
- Implement Content Security Policy headers to prevent inline script execution
- Consider temporarily restricting patient portal payment functionality until patching is complete
Patch Information
OpenEMR has released version 8.0.0.2 which addresses this vulnerability. The fix implements proper JavaScript escaping using the js_escape() function when rendering user-controlled data in script contexts. The security patch is available via the GitHub Commit Update.
For detailed vulnerability information, refer to the GitHub Security Advisory GHSA-qvf6-6xc6-9qv7.
Workarounds
- Implement a Content Security Policy (CSP) header that disallows inline scripts to mitigate XSS exploitation
- Deploy a Web Application Firewall (WAF) with XSS filtering rules for the patient portal endpoints
- Temporarily disable the patient portal payment functionality until the patch can be applied
- Restrict staff access to payment review functionality to a limited set of accounts that can be closely monitored
# Apache configuration example - Add CSP header to mitigate XSS
<IfModule mod_headers.c>
Header set Content-Security-Policy "default-src 'self'; script-src 'self'; style-src 'self' 'unsafe-inline';"
</IfModule>
Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.
