CVE-2026-33913

HIGH 7.7

OpenEMR: XInclude Injection in CCDA Import Allows Reading Arbitrary Server Files

CVSS Score

7.7

EPSS Score

0.0%

EPSS Percentile

7th

OpenEMR is a free and open source electronic health records and medical practice management application. Prior to version 8.0.0.3, an authenticated user with access to the Carecoordination module can upload a crafted CCDA document containing `<xi:include href="file:///etc/passwd" parse="text"/>` to read arbitrary files from the server. Version 8.0.0.3 patches the issue.

CWE	CWE-611
Vendor	openemr
Product	openemr
Published	Mar 25, 2026
Last Updated	Mar 26, 2026

Stay Ahead of the Next One

Get instant alerts for openemr openemr

Be the first to know when new high vulnerabilities affecting openemr openemr are published — delivered to Slack, Telegram or Discord.

Get Free Alerts → Free · No credit card · 60 sec setup

CVSS v3 Breakdown

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:N/A:N

Attack Vector

Network

Attack Complexity

Low

Privileges Required

Low

User Interaction

None

Scope

Changed

Confidentiality

High

Integrity

None

Availability

None

Affected Versions

openemr / openemr

< 8.0.0.3

References

NVD ↗ CVE.org ↗ EPSS Data ↗

github.com: https://github.com/openemr/openemr/security/advisories/GHSA-9757-3cfj-wc8q github.com: https://github.com/openemr/openemr/commit/67e1702c41cf486af0069bdafce19860e2cd9a11 github.com: https://github.com/openemr/openemr/releases/tag/v8_0_0_3