CVE-2026-21443
Cross-Site Scripting in OpenEMR xl() Translation Function
Publication date: 2026-02-25
Last updated on: 2026-02-26
Assigner: GitHub, Inc.
Description
Description
CVSS Scores
EPSS Scores
| Probability: | |
| Percentile: |
Meta Information
Affected Vendors & Products
| Vendor | Product | Version / Range |
|---|---|---|
| open-emr | openemr | to 8.0.0 (exc) |
Helpful Resources
Exploitability
| CWE ID | Description |
|---|---|
| CWE-116 | The product prepares a structured message for communication with another component, but encoding or escaping of the data is either missing or done incorrectly. As a result, the intended structure of the message is not preserved. |
Attack-Flow Graph
AI Powered Q&A
Can you explain this vulnerability to me?
CVE-2026-21443 is a vulnerability in OpenEMR, an electronic health records application, caused by inconsistent escaping of output from the xl() translation function. The xl() function returns unescaped strings, and although there are wrapper functions like xlt(), xla(), and xlj() designed to properly escape output for HTML, attributes, and JavaScript contexts respectively, some parts of the codebase use xl() output directly without escaping.
This improper handling allows an attacker who can insert malicious content into the translation database to execute cross-site scripting (XSS) attacks by injecting malicious scripts that are rendered unescaped in the application.
Version 8.0.0 of OpenEMR fixes this issue by refactoring the code to replace all direct calls to xl() with properly escaped wrapper functions, removing unsafe wrappers, and enforcing consistent escaping across different contexts.
How can this vulnerability impact me? :
This vulnerability can lead to cross-site scripting (XSS) attacks if an attacker gains write access to the translation database and injects malicious content. XSS attacks can allow attackers to execute arbitrary scripts in the context of the affected application, potentially leading to session hijacking, defacement, or redirection to malicious sites.
However, the impact is considered low because exploitation requires attacker write access to the translation tables in the database, which is a restricted privilege.
How does this vulnerability affect compliance with common standards and regulations (like GDPR, HIPAA)?:
I don't know
How can this vulnerability be detected on my network or system? Can you suggest some commands?
[{'type': 'paragraph', 'content': 'This vulnerability arises from the use of the unescaped xl() translation function in OpenEMR versions prior to 8.0.0, which can lead to cross-site scripting (XSS) if malicious content is inserted into the translation database.'}, {'type': 'paragraph', 'content': 'To detect this vulnerability on your system, you should audit the OpenEMR codebase and configuration for usage of the xl() function without proper escaping wrappers such as xlt(), xla(), xlj(), or xlx().'}, {'type': 'paragraph', 'content': 'Specifically, you can search the source code for direct calls to xl() and the presence of the Smarty {xl} plugin, which outputs unescaped strings.'}, {'type': 'list_item', 'content': 'Use grep or similar tools to find unescaped xl() calls, for example: grep -r "xl(" /path/to/openemr'}, {'type': 'list_item', 'content': 'Check for usage of the Smarty {xl} plugin in templates: grep -r "{xl}" /path/to/openemr/templates'}, {'type': 'list_item', 'content': 'Review the translation database entries for suspicious or unexpected content that could be malicious.'}, {'type': 'paragraph', 'content': 'Since exploitation requires attacker write access to the translation database, monitoring database changes or unusual write activity to translation tables can also help detect potential exploitation attempts.'}] [1, 2]
What immediate steps should I take to mitigate this vulnerability?
The primary mitigation is to upgrade OpenEMR to version 8.0.0 or later, where this vulnerability has been fixed by replacing all unescaped xl() calls with properly escaped wrapper functions.
If upgrading immediately is not possible, you should:
- Audit and modify the codebase to replace all direct xl() calls with the appropriate escaped functions such as xlt() for HTML, xla() for attributes, xlj() for JavaScript, and xlx() for XML contexts.
- Replace the Smarty {xl} plugin with {xlt} or {xla} to ensure proper escaping in templates.
- Remove or replace usage of the unsafe z_xl() wrapper with z_xlt().
- Migrate any xls() function calls to xlj() to ensure proper JavaScript escaping.
Additionally, restrict write access to the translation database to trusted users only, as exploitation requires the ability to insert malicious content into translation entries.