Vulnerability Description
OpenEMR is a free and open source electronic health records and medical practice management application. Prior to 8.0.0.2, users with the `Notes - my encounters` role can fill Eye Exam forms in patient encounters. The answers to the form can be printed out in PDF form. An Out-of-Band Server-Side Request Forgery (OOB SSRF) vulnerability was identified in the PDF creation function where the form answers are parsed as unescaped HTML, allowing an attacker to forge requests from the server made to external or internal resources. Version 8.0.0.2 fixes the issue.
CVSS Score
HIGH
Affected Products
| Vendor | Product | Versions |
|---|---|---|
| Open-Emr | Openemr | < 8.0.0.2 |
Related Weaknesses (CWE)
References
- https://github.com/openemr/openemr/commit/dccc962f06bdf6105ca85c277915167caf3e7cPatch
- https://github.com/openemr/openemr/security/advisories/GHSA-5pc3-2crw-96rvExploitVendor Advisory
FAQ
What is CVE-2026-33321?
CVE-2026-33321 is a vulnerability with a CVSS score of 7.6 (HIGH). OpenEMR is a free and open source electronic health records and medical practice management application. Prior to 8.0.0.2, users with the `Notes - my encounters` role can fill Eye Exam forms in patien...
How severe is CVE-2026-33321?
CVE-2026-33321 has been rated HIGH with a CVSS base score of 7.6/10. Review the CVSS metrics above for detailed severity breakdown.
Is there a patch for CVE-2026-33321?
Check the references section above for vendor advisories and patch information. Affected products include: Open-Emr Openemr.