CVE-2026-32119
DOM-Based Stored XSS in OpenEMR SearchHighlight Plugin Allows Code Injection
Publication date: 2026-03-19
Last updated on: 2026-03-20
Assigner: GitHub, Inc.
Description
Description
CVSS Scores
EPSS Scores
| Probability: | |
| Percentile: |
Meta Information
Affected Vendors & Products
| Vendor | Product | Version / Range |
|---|---|---|
| open-emr | openemr | to 8.0.0.2 (exc) |
Helpful Resources
Exploitability
| CWE ID | Description |
|---|---|
| CWE-79 | The product does not neutralize or incorrectly neutralizes user-controllable input before it is placed in output that is used as a web page that is served to other users. |
Attack-Flow Graph
AI Powered Q&A
Can you explain this vulnerability to me?
[{'type': 'paragraph', 'content': 'CVE-2026-32119 is a DOM-based stored Cross-Site Scripting (XSS) vulnerability in the OpenEMR electronic health records application, specifically in the jQuery SearchHighlight plugin used on the Custom Report page.'}, {'type': 'paragraph', 'content': 'The vulnerability occurs because the plugin reads decoded text from DOM text nodes, which contain browser-decoded HTML entities, and then reconstructs an HTML string by concatenating these substrings with highlight span elements without properly escaping the content.'}, {'type': 'paragraph', 'content': "This reconstructed HTML string is passed to jQuery's `$()` constructor, which parses it as live HTML. If an attacker injects malicious JavaScript code into a free-text field (such as an encounter form), this code can be executed in another clinician's browser session when they use the single-word search feature on the Custom Report page."}, {'type': 'paragraph', 'content': 'The vulnerability affects OpenEMR versions prior to 8.0.0.2 and was fixed by properly escaping special characters in the text before inserting it into the DOM, preventing execution of injected scripts.'}] [1, 2]
How can this vulnerability impact me? :
[{'type': 'paragraph', 'content': 'This vulnerability allows an authenticated user with encounter form write access to inject persistent malicious JavaScript code into the OpenEMR system.'}, {'type': 'paragraph', 'content': 'When other clinicians use the single-word search feature on the Custom Report page, the injected script executes in their browser sessions.'}, {'type': 'list_item', 'content': "The malicious script runs in the victim's authenticated session context."}, {'type': 'list_item', 'content': 'It can expose sensitive information such as session tokens and CSRF tokens.'}, {'type': 'list_item', 'content': 'It may enable attackers to perform unauthorized actions on behalf of the victim clinician.'}, {'type': 'paragraph', 'content': 'The overall impact is moderate, with a CVSS v3 base score of 4.4, indicating a network attack vector with high attack complexity but requiring low privileges and user interaction.'}] [2]
How does this vulnerability affect compliance with common standards and regulations (like GDPR, HIPAA)?:
I don't know
How can this vulnerability be detected on my network or system? Can you suggest some commands?
[{'type': 'paragraph', 'content': "This vulnerability can be detected by testing the behavior of the Custom Report page's single-word search feature in OpenEMR versions prior to 8.0.0.2. Specifically, an authenticated user with encounter form write access can input a payload containing malicious JavaScript (e.g., <img src=x onerror=alert(document.domain)>) into a free-text field of an encounter form. After saving, performing a single-word search on the Custom Report page triggers the execution of the injected script if the system is vulnerable."}, {'type': 'paragraph', 'content': 'To detect the vulnerability, you can perform the following steps:'}, {'type': 'list_item', 'content': 'Log in as an authenticated user with encounter form write permissions.'}, {'type': 'list_item', 'content': 'Insert a test payload such as: routine checkup <img src=x onerror=alert(document.domain)> into a free-text field (e.g., SOAP notes) of an encounter form.'}, {'type': 'list_item', 'content': 'Save the form.'}, {'type': 'list_item', 'content': 'Navigate to the Custom Report page and select the encounter containing the payload.'}, {'type': 'list_item', 'content': 'Perform a single-word search (e.g., "routine") in the reportβs Find box.'}, {'type': 'paragraph', 'content': 'If an alert box or similar JavaScript execution occurs, the vulnerability is present.'}] [2]
What immediate steps should I take to mitigate this vulnerability?
The immediate mitigation step is to upgrade OpenEMR to version 8.0.0.2 or later, where this vulnerability is fixed.
The fix involves properly escaping all text fragments in the SearchHighlight plugin before inserting them into the DOM, preventing execution of injected scripts.
Until the upgrade can be applied, consider restricting encounter form write access to trusted users only, as the vulnerability requires authenticated users with such permissions to inject malicious payloads.
Additionally, avoid using the single-word search feature on the Custom Report page or disable it if possible, as multi-word searches use a safe code path.