{"dataType": "CVE_RECORD", "dataVersion": "5.2", "cveMetadata": {"cveId": "CVE-2026-33346", "assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "state": "PUBLISHED", "assignerShortName": "GitHub_M", "dateReserved": "2026-03-18T22:15:11.813Z", "datePublished": "2026-03-19T20:33:10.437Z", "dateUpdated": "2026-03-19T20:33:10.437Z"}, "containers": {"cna": {"title": "OpenEMR has stored XSS in portal_payment.php via Unescaped table_args", "problemTypes": [{"descriptions": [{"cweId": "CWE-79", "lang": "en", "description": "CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')", "type": "CWE"}]}], "metrics": [{"cvssV3_1": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "NONE", "baseScore": 8.7, "baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "LOW", "scope": "CHANGED", "userInteraction": "REQUIRED", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:H/I:H/A:N", "version": "3.1"}}], "references": [{"name": "https://github.com/openemr/openemr/security/advisories/GHSA-qvf6-6xc6-9qv7", "tags": ["x_refsource_CONFIRM"], "url": "https://github.com/openemr/openemr/security/advisories/GHSA-qvf6-6xc6-9qv7"}, {"name": "https://github.com/openemr/openemr/commit/6e9e1566d6e271a6d839614674b887e3a73d7da1", "tags": ["x_refsource_MISC"], "url": "https://github.com/openemr/openemr/commit/6e9e1566d6e271a6d839614674b887e3a73d7da1"}], "affected": [{"vendor": "openemr", "product": "openemr", "versions": [{"version": "< 8.0.0.2", "status": "affected"}]}], "providerMetadata": {"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "shortName": "GitHub_M", "dateUpdated": "2026-03-19T20:33:10.437Z"}, "descriptions": [{"lang": "en", "value": "OpenEMR is a free and open source electronic health records and medical practice management application. Prior to 8.0.0.2, a stored cross-site scripting (XSS) vulnerability in the patient portal payment flow allows a patient portal user to persist arbitrary JavaScript that executes in the browser of a staff member who reviews the payment submission. The payload is stored via `portal/lib/paylib.php` and rendered without escaping in `portal/portal_payment.php`. Version 8.0.0.2 fixes the issue."}], "source": {"advisory": "GHSA-qvf6-6xc6-9qv7", "discovery": "UNKNOWN"}}}}

{}

{"cveTags": [], "descriptions": [{"lang": "en", "value": "OpenEMR is a free and open source electronic health records and medical practice management application. Prior to 8.0.0.2, a stored cross-site scripting (XSS) vulnerability in the patient portal payment flow allows a patient portal user to persist arbitrary JavaScript that executes in the browser of a staff member who reviews the payment submission. The payload is stored via `portal/lib/paylib.php` and rendered without escaping in `portal/portal_payment.php`. Version 8.0.0.2 fixes the issue."}], "id": "CVE-2026-33346", "lastModified": "2026-03-19T21:17:12.180", "metrics": {"cvssMetricV31": [{"cvssData": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "NONE", "baseScore": 8.7, "baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "LOW", "scope": "CHANGED", "userInteraction": "REQUIRED", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:H/I:H/A:N", "version": "3.1"}, "exploitabilityScore": 2.3, "impactScore": 5.8, "source": "security-advisories@github.com", "type": "Secondary"}]}, "published": "2026-03-19T21:17:12.180", "references": [{"source": "security-advisories@github.com", "url": "https://github.com/openemr/openemr/commit/6e9e1566d6e271a6d839614674b887e3a73d7da1"}, {"source": "security-advisories@github.com", "url": "https://github.com/openemr/openemr/security/advisories/GHSA-qvf6-6xc6-9qv7"}], "sourceIdentifier": "security-advisories@github.com", "vulnStatus": "Received", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-79"}], "source": "security-advisories@github.com", "type": "Primary"}]}

{}

{"affected": [{"configurations": [{"platform": null, "status": "affected", "versions": {"scheme": "generic", "value": "[0,8.0.0.2)"}}], "enrichment": {"confidence": 100.0, "confidence_source": "matching", "scores": [{"score": 100.0, "source": "matching"}]}, "original": {"product": "openemr", "source": "cna", "vendor": "openemr"}, "product": "openemr", "vendor": "openemr"}], "analysis": {"en": {"generated_at": "2026-03-19T21:50:26.561319+00:00", "value": {"mitigation_remediation": ["Upgrade OpenEMR to version 8.0.0.2 or later."], "summary": {"action": "Patch", "impact": "Stored Cross\u2011Site Scripting"}, "threat_synthesis": {"affected_systems": "The vulnerability affects all OpenEMR releases older than 8.0.0.2. The affected product is OpenEMR, a free and open\u2011source electronic health records and medical practice management application.", "description_and_impact": "Prior to OpenEMR 8.0.0.2, a stored cross\u2011site scripting (CWE\u201179) vulnerability exists in the patient portal payment flow. A malicious user can submit a payment containing arbitrary JavaScript that is persisted via portal/lib/paylib.php and later rendered without escaping in portal/portal_payment.php. When a staff member reviews the payment, the script executes in the staff browser, potentially allowing theft of session cookies, defacement, or arbitrary code execution within the staff environment.", "risk_and_exploitability": "The CVSS base score of 8.7 indicates high severity. EPSS data is not available, and the vulnerability is not listed in the CISA KEV catalog. The likely attack vector is via an authenticated patient portal user who submits a crafted payment; the exploit does not require elevated privileges and is straightforward through the existing payment interface, executing when staff review the stored submission."}}}}, "created": "2026-03-20T08:56:13.431862+00:00", "updated": "2026-03-20T11:06:23.486814+00:00", "vendors": ["openemr", "openemr$PRODUCT$openemr"]}