CVE-2026-33913

Published: Mar 26, 2026 Last Modified: Mar 26, 2026

ExploitDB:

Other exploit source:

Google Dorks:

HIGH 7,7

Source: [email protected]

Attack Vector: network

Attack Complexity: low

Privileges Required: low

User Interaction: none

Scope: changed

Confidentiality: high

Integrity: none

Availability: none

Description

AI Translation Available

OpenEMR is a free and open source electronic health records and medical practice management application. Prior to version 8.0.0.3, an authenticated user with access to the Carecoordination module can upload a crafted CCDA document containing `<xi:include href='file:///etc/passwd' parse='text'/>` to read arbitrary files from the server. Version 8.0.0.3 patches the issue.

611

Improper Restriction of XML External Entity Reference

Draft

Abstraction: Base Structure: Simple

Common Consequences

Security Scopes Affected:

Confidentiality Integrity Availability

Potential Impacts:

Read Application Data Read Files Or Directories Bypass Protection Mechanism Dos: Resource Consumption (Cpu) Dos: Resource Consumption (Memory)

Applicable Platforms

Languages: Not Language-Specific, XML

Technologies: Not Technology-Specific, Web Based

View CWE Details

https://github.com/openemr/openemr/commit/67e1702c41cf486af…

https://github.com/openemr/openemr/commit/67e1702c41cf486af0069bdafce19860e2cd9…

https://github.com/openemr/openemr/releases/tag/v8_0_0_3

https://github.com/openemr/openemr/security/advisories/GHSA…

https://github.com/openemr/openemr/security/advisories/GHSA-9757-3cfj-wc8q

CVE-2026-33913

Description

Improper Restriction of XML External Entity Reference

Common Consequences

Applicable Platforms

Iscriviti alla newsletter