{"dataType": "CVE_RECORD", "dataVersion": "5.2", "cveMetadata": {"cveId": "CVE-2026-33913", "assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "state": "PUBLISHED", "assignerShortName": "GitHub_M", "dateReserved": "2026-03-24T15:41:47.492Z", "datePublished": "2026-03-25T22:52:50.449Z", "dateUpdated": "2026-03-26T18:08:31.010Z"}, "containers": {"cna": {"title": "OpenEMR: XInclude Injection in CCDA Import Allows Reading Arbitrary Server Files", "problemTypes": [{"descriptions": [{"cweId": "CWE-611", "lang": "en", "description": "CWE-611: Improper Restriction of XML External Entity Reference", "type": "CWE"}]}], "metrics": [{"cvssV3_1": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "NONE", "baseScore": 7.7, "baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "integrityImpact": "NONE", "privilegesRequired": "LOW", "scope": "CHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:N/A:N", "version": "3.1"}}], "references": [{"name": "https://github.com/openemr/openemr/security/advisories/GHSA-9757-3cfj-wc8q", "tags": ["x_refsource_CONFIRM"], "url": "https://github.com/openemr/openemr/security/advisories/GHSA-9757-3cfj-wc8q"}, {"name": "https://github.com/openemr/openemr/commit/67e1702c41cf486af0069bdafce19860e2cd9a11", "tags": ["x_refsource_MISC"], "url": "https://github.com/openemr/openemr/commit/67e1702c41cf486af0069bdafce19860e2cd9a11"}, {"name": "https://github.com/openemr/openemr/releases/tag/v8_0_0_3", "tags": ["x_refsource_MISC"], "url": "https://github.com/openemr/openemr/releases/tag/v8_0_0_3"}], "affected": [{"vendor": "openemr", "product": "openemr", "versions": [{"version": "< 8.0.0.3", "status": "affected"}]}], "providerMetadata": {"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "shortName": "GitHub_M", "dateUpdated": "2026-03-25T22:52:50.449Z"}, "descriptions": [{"lang": "en", "value": "OpenEMR is a free and open source electronic health records and medical practice management application. Prior to version 8.0.0.3, an authenticated user with access to the Carecoordination module can upload a crafted CCDA document containing `<xi:include href=\"file:///etc/passwd\" parse=\"text\"/>` to read arbitrary files from the server. Version 8.0.0.3 patches the issue."}], "source": {"advisory": "GHSA-9757-3cfj-wc8q", "discovery": "UNKNOWN"}}, "adp": [{"metrics": [{"other": {"type": "ssvc", "content": {"timestamp": "2026-03-26T18:08:22.949304Z", "id": "CVE-2026-33913", "options": [{"Exploitation": "poc"}, {"Automatable": "no"}, {"Technical Impact": "partial"}], "role": "CISA Coordinator", "version": "2.0.3"}}}], "title": "CISA ADP Vulnrichment", "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2026-03-26T18:08:31.010Z"}}]}}

{"dataType": "CVE_RECORD", "dataVersion": "5.2", "cveMetadata": {"cveId": "CVE-2026-33913", "assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "state": "PUBLISHED", "assignerShortName": "GitHub_M", "dateReserved": "2026-03-24T15:41:47.492Z", "datePublished": "2026-03-25T22:52:50.449Z", "dateUpdated": "2026-03-26T18:08:31.010Z"}, "containers": {"cna": {"title": "OpenEMR: XInclude Injection in CCDA Import Allows Reading Arbitrary Server Files", "problemTypes": [{"descriptions": [{"cweId": "CWE-611", "lang": "en", "description": "CWE-611: Improper Restriction of XML External Entity Reference", "type": "CWE"}]}], "metrics": [{"cvssV3_1": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "NONE", "baseScore": 7.7, "baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "integrityImpact": "NONE", "privilegesRequired": "LOW", "scope": "CHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:N/A:N", "version": "3.1"}}], "references": [{"name": "https://github.com/openemr/openemr/security/advisories/GHSA-9757-3cfj-wc8q", "tags": ["x_refsource_CONFIRM"], "url": "https://github.com/openemr/openemr/security/advisories/GHSA-9757-3cfj-wc8q"}, {"name": "https://github.com/openemr/openemr/commit/67e1702c41cf486af0069bdafce19860e2cd9a11", "tags": ["x_refsource_MISC"], "url": "https://github.com/openemr/openemr/commit/67e1702c41cf486af0069bdafce19860e2cd9a11"}, {"name": "https://github.com/openemr/openemr/releases/tag/v8_0_0_3", "tags": ["x_refsource_MISC"], "url": "https://github.com/openemr/openemr/releases/tag/v8_0_0_3"}], "affected": [{"vendor": "openemr", "product": "openemr", "versions": [{"version": "< 8.0.0.3", "status": "affected"}]}], "providerMetadata": {"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "shortName": "GitHub_M", "dateUpdated": "2026-03-25T22:52:50.449Z"}, "descriptions": [{"lang": "en", "value": "OpenEMR is a free and open source electronic health records and medical practice management application. Prior to version 8.0.0.3, an authenticated user with access to the Carecoordination module can upload a crafted CCDA document containing `<xi:include href=\"file:///etc/passwd\" parse=\"text\"/>` to read arbitrary files from the server. Version 8.0.0.3 patches the issue."}], "source": {"advisory": "GHSA-9757-3cfj-wc8q", "discovery": "UNKNOWN"}}, "adp": [{"title": "CISA ADP Vulnrichment", "metrics": [{"other": {"type": "ssvc", "content": {"id": "CVE-2026-33913", "role": "CISA Coordinator", "options": [{"Exploitation": "poc"}, {"Automatable": "no"}, {"Technical Impact": "partial"}], "version": "2.0.3", "timestamp": "2026-03-26T18:08:22.949304Z"}}}], "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2026-03-26T18:08:26.645Z"}}]}}

{"configurations": [{"nodes": [{"cpeMatch": [{"criteria": "cpe:2.3:a:open-emr:openemr:*:*:*:*:*:*:*:*", "matchCriteriaId": "E3E098AF-42A1-4798-85A7-80052F19F809", "versionEndExcluding": "8.0.0.3", "vulnerable": true}], "negate": false, "operator": "OR"}]}], "cveTags": [], "descriptions": [{"lang": "en", "value": "OpenEMR is a free and open source electronic health records and medical practice management application. Prior to version 8.0.0.3, an authenticated user with access to the Carecoordination module can upload a crafted CCDA document containing `<xi:include href=\"file:///etc/passwd\" parse=\"text\"/>` to read arbitrary files from the server. Version 8.0.0.3 patches the issue."}], "id": "CVE-2026-33913", "lastModified": "2026-03-26T16:25:24.290", "metrics": {"cvssMetricV31": [{"cvssData": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "NONE", "baseScore": 7.7, "baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "integrityImpact": "NONE", "privilegesRequired": "LOW", "scope": "CHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:N/A:N", "version": "3.1"}, "exploitabilityScore": 3.1, "impactScore": 4.0, "source": "security-advisories@github.com", "type": "Secondary"}, {"cvssData": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "NONE", "baseScore": 4.9, "baseSeverity": "MEDIUM", "confidentialityImpact": "HIGH", "integrityImpact": "NONE", "privilegesRequired": "HIGH", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:N/A:N", "version": "3.1"}, "exploitabilityScore": 1.2, "impactScore": 3.6, "source": "nvd@nist.gov", "type": "Primary"}]}, "published": "2026-03-25T23:17:10.660", "references": [{"source": "security-advisories@github.com", "tags": ["Patch"], "url": "https://github.com/openemr/openemr/commit/67e1702c41cf486af0069bdafce19860e2cd9a11"}, {"source": "security-advisories@github.com", "tags": ["Product"], "url": "https://github.com/openemr/openemr/releases/tag/v8_0_0_3"}, {"source": "security-advisories@github.com", "tags": ["Exploit", "Mitigation", "Vendor Advisory"], "url": "https://github.com/openemr/openemr/security/advisories/GHSA-9757-3cfj-wc8q"}], "sourceIdentifier": "security-advisories@github.com", "vulnStatus": "Analyzed", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-611"}], "source": "security-advisories@github.com", "type": "Primary"}]}

{}

{"affected": [{"configurations": [{"platform": null, "status": "affected", "versions": {"scheme": "semver", "value": "[0,8.0.0.3)"}}], "enrichment": {"confidence": 100.0, "confidence_source": "matching", "scores": [{"score": 100.0, "source": "matching"}]}, "original": {"product": "openemr", "source": "cna", "vendor": "openemr"}, "product": "openemr", "vendor": "openemr"}], "analysis": {"en": {"generated_at": "2026-03-26T00:54:18.106204+00:00", "value": {"mitigation_remediation": ["Update OpenEMR to version 8.0.0.3 or later, which contains the fix.", "Remove or revoke permissions for users who no longer require access to the Carecoordination module.", "Restrict CCDA document uploads or disable XInclude processing if the module cannot be updated immediately.", "Monitor application logs for suspicious CCDA upload attempts containing XInclude references."], "summary": {"action": "Patch immediately", "impact": "Reading arbitrary server files via XInclude injection"}, "threat_synthesis": {"affected_systems": "The issue exists in OpenEMR for all releases before 8.0.0.3. Versions from the 8.0.0 series up to but not including 8.0.0.3 are affected. The patch is incorporated in release 8.0.0.3 and later versions.", "description_and_impact": "An authenticated user with access to the Carecoordination module can upload a CCDA file containing a malicious XInclude tag that requests the server to read arbitrary files, such as /etc/passwd. The vulnerability allows unrestricted reading of any file the web server can access and results in confidentiality compromise. It is a classic File Inclusion flaw classified as CWE\u2011611, and the CVSS score of 7.7 reflects a high severity.", "risk_and_exploitability": "Exploitation requires only legitimate credentials that enable uploading CCDA documents. Once an attacker obtains such access, they can easily craft a CCDA file containing an XInclude reference to any file, causing the server to return its contents. No publicly available exploit is listed in the CISA KEV catalog, and the EPSS score is unavailable. However, the high CVSS rating and the relatively low barrier to exploitation make this a significant risk for installations that have not applied the patch."}}}}, "created": "2026-03-26T11:31:14.916242+00:00", "updated": "2026-03-26T12:09:18.101238+00:00", "vendors": ["openemr", "openemr$PRODUCT$openemr"]}