CVE-2026-33301

CVE-2026-33301 is an arbitrary file read vulnerability in OpenEMR, a free and open source electronic health records and medical practice management application. The issue affects versions prior to 8.0.0.2 and resides in the PDF creation function for Eye Exam forms within patient encounters. Specifically, form answers submitted by users are parsed as unescaped HTML, enabling the inclusion of arbitrary image files from the server in the generated PDF. The vulnerability is rated with a CVSS v3.1 base score of 8.1 (AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:N) and is associated with CWE-116 (Improper Encoding or Escaping of Output).

The vulnerability can be exploited by authenticated users holding the "Notes - my encounters" role, who have permission to fill Eye Exam forms in patient encounters. By injecting malicious HTML into form answers that references arbitrary image files on the server, an attacker can trigger the PDF generation process to embed sensitive file contents as images. This results in high confidentiality and integrity impacts, allowing unauthorized access to and exposure of server files through the downloadable PDF, without requiring user interaction beyond normal workflow.

Mitigation is addressed in OpenEMR version 8.0.0.2, which fixes the unescaped HTML parsing in the PDF creation function. Security practitioners should upgrade to this version immediately. Additional details are available in the GitHub security advisory (GHSA-v9v3-q973-xp2h) and the fixing commit (dccc962f06bdf6105ca85c277915167caf3e7c28).