CVE-2026-32118
Received Received - Intake
Stored XSS in OpenEMR Pain Map Enables Session Hijacking

Publication date: 2026-03-11

Last updated on: 2026-03-13

Assigner: GitHub, Inc.

Description
OpenEMR is a free and open source electronic health records and medical practice management application. Prior to 8.0.0.1, stored cross-site scripting (XSS) in the Graphical Pain Map ("clickmap") form allows any authenticated clinician to inject arbitrary JavaScript that executes in the browser of every subsequent user who views the affected encounter form. Because session cookies are not marked HttpOnly, this enables full session hijacking of other users, including administrators. This vulnerability is fixed in 8.0.0.1.
CVSS Scores
EPSS Scores
Probability:
Percentile:
Meta Information
Published
2026-03-11
Last Modified
2026-03-13
Generated
2026-06-16
AI Q&A
2026-03-11
EPSS Evaluated
2026-06-14
NVD
CVE-2026-32118
EUVD
EUVD-2026-11387
Affected Vendors & Products
Showing 1 associated CPE
Vendor Product Version / Range
open-emr openemr to 8.0.0.1 (exc)
Helpful Resources
Exploitability
CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-79 The product does not neutralize or incorrectly neutralizes user-controllable input before it is placed in output that is used as a web page that is served to other users.
Attack-Flow Graph
AI Quick Actions
Instant insights powered by AI
Executive Summary

CVE-2026-32118 is a stored cross-site scripting (XSS) vulnerability in the Graphical Pain Map feature of OpenEMR versions prior to 8.0.0.1.

The vulnerability occurs because annotation text entered by authenticated clinicians is not properly sanitized before being stored and rendered. This allows an attacker to inject arbitrary JavaScript code that executes in the browser of any user who views the affected encounter form.

Technically, the issue arises when URL-encoded annotation text is decoded and directly injected into HTML without escaping, enabling execution of malicious scripts.

Additionally, session cookies are not marked as HttpOnly, which means the injected script can steal session tokens and hijack user sessions, including those of administrators.

This vulnerability is fixed in OpenEMR version 8.0.0.1.

Impact Analysis

This vulnerability allows any authenticated user with permission to create or edit encounter forms to inject persistent JavaScript code that executes in the browsers of all subsequent users who view the affected form.

Because session cookies are not marked HttpOnly, the injected script can steal session tokens, enabling full session hijacking.

Attackers can gain unauthorized access to protected health information (PHI), escalate privileges, and potentially compromise the confidentiality and integrity of sensitive patient data.

This can lead to serious security breaches in healthcare environments, affecting clinicians, administrators, and patients.

Compliance Impact

This vulnerability has serious implications for compliance with healthcare regulations such as HIPAA.

Because it enables unauthorized access to protected health information (PHI) through session hijacking and cross-site scripting, it compromises the confidentiality and integrity of sensitive patient data.

Such a breach could lead to violations of HIPAA requirements for safeguarding patient information and may also impact compliance with other data protection regulations like GDPR that mandate protection of personal data.

Detection Guidance

[{'type': 'paragraph', 'content': "This vulnerability can be detected by checking for the presence of stored cross-site scripting (XSS) payloads in the Graphical Pain Map form of OpenEMR versions prior to 8.0.0.1. Specifically, look for annotation text containing suspicious JavaScript or HTML tags such as <img src=x onerror=...> in the 'Detail' textarea of encounter forms."}, {'type': 'paragraph', 'content': 'To detect exploitation attempts or presence of malicious annotations, you can query the database for entries in the clickmap-related tables containing suspicious script or HTML tags.'}, {'type': 'paragraph', 'content': 'Example SQL command to find suspicious annotations (adjust table and column names as per your OpenEMR schema):'}, {'type': 'list_item', 'content': "SELECT * FROM clickmap_annotations WHERE detail LIKE '%<img%onerror=%';"}, {'type': 'paragraph', 'content': 'Additionally, monitoring HTTP requests for unusual payloads submitted to the save.php endpoint related to the clickmap form can help detect attempts to inject malicious scripts.'}, {'type': 'paragraph', 'content': 'You can also inspect browser behavior for unexpected JavaScript execution when viewing encounter forms with the Graphical Pain Map.'}] [1]

Mitigation Strategies

The immediate mitigation step is to upgrade OpenEMR to version 8.0.0.1 or later, where this vulnerability is fixed.

If upgrading immediately is not possible, restrict or disable access to the Graphical Pain Map feature for authenticated users who do not require it, to reduce the risk of malicious annotation input.

Review and sanitize existing annotations in the database to remove any malicious scripts.

Configure session cookies to be marked HttpOnly to prevent JavaScript from accessing session tokens, reducing the risk of session hijacking.

Implement additional input validation and output encoding on the server side to prevent injection of malicious scripts.

Monitor logs and user activity for suspicious behavior related to the Graphical Pain Map feature.

Chat Assistant
Ask questions about this CVE
Hi! I’m here to help you understand CVE-2026-32118. Ask me anything about the vulnerability, its impact, or mitigation strategies.
0/70
EPSS Chart