CVE-2026-32119
Received Received - Intake
DOM-Based Stored XSS in OpenEMR SearchHighlight Plugin Allows Code Injection

Publication date: 2026-03-19

Last updated on: 2026-03-20

Assigner: GitHub, Inc.

Description
OpenEMR is a free and open source electronic health records and medical practice management application. Prior to 8.0.0.2, DOM-based stored XSS in the jQuery SearchHighlight plugin (`library/js/SearchHighlight.js`) allows an authenticated user with encounter form write access to inject arbitrary JavaScript that executes in another clinician's browser session when they use the search/find feature on the Custom Report page. The plugin reverses server-side HTML entity encoding by reading decoded text from DOM text nodes, concatenating it into a raw HTML string, and passing it to jQuery's `$()` constructor for HTML parsing. Version 8.0.0.2 fixes the issue.
CVSS Scores
EPSS Scores
Probability:
Percentile:
Meta Information
Published
2026-03-19
Last Modified
2026-03-20
Generated
2026-06-16
AI Q&A
2026-03-19
EPSS Evaluated
2026-06-15
NVD
CVE-2026-32119
EUVD
EUVD-2026-13156
Affected Vendors & Products
Showing 1 associated CPE
Vendor Product Version / Range
open-emr openemr to 8.0.0.2 (exc)
Helpful Resources
Exploitability
CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-79 The product does not neutralize or incorrectly neutralizes user-controllable input before it is placed in output that is used as a web page that is served to other users.
Attack-Flow Graph
AI Quick Actions
Instant insights powered by AI
Executive Summary

[{'type': 'paragraph', 'content': 'CVE-2026-32119 is a DOM-based stored Cross-Site Scripting (XSS) vulnerability in the OpenEMR electronic health records application, specifically in the jQuery SearchHighlight plugin used on the Custom Report page.'}, {'type': 'paragraph', 'content': 'The vulnerability occurs because the plugin reads decoded text from DOM text nodes, which contain browser-decoded HTML entities, and then reconstructs an HTML string by concatenating these substrings with highlight span elements without properly escaping the content.'}, {'type': 'paragraph', 'content': "This reconstructed HTML string is passed to jQuery's `$()` constructor, which parses it as live HTML. If an attacker injects malicious JavaScript code into a free-text field (such as an encounter form), this code can be executed in another clinician's browser session when they use the single-word search feature on the Custom Report page."}, {'type': 'paragraph', 'content': 'The vulnerability affects OpenEMR versions prior to 8.0.0.2 and was fixed by properly escaping special characters in the text before inserting it into the DOM, preventing execution of injected scripts.'}] [1, 2]

Impact Analysis

[{'type': 'paragraph', 'content': 'This vulnerability allows an authenticated user with encounter form write access to inject persistent malicious JavaScript code into the OpenEMR system.'}, {'type': 'paragraph', 'content': 'When other clinicians use the single-word search feature on the Custom Report page, the injected script executes in their browser sessions.'}, {'type': 'list_item', 'content': "The malicious script runs in the victim's authenticated session context."}, {'type': 'list_item', 'content': 'It can expose sensitive information such as session tokens and CSRF tokens.'}, {'type': 'list_item', 'content': 'It may enable attackers to perform unauthorized actions on behalf of the victim clinician.'}, {'type': 'paragraph', 'content': 'The overall impact is moderate, with a CVSS v3 base score of 4.4, indicating a network attack vector with high attack complexity but requiring low privileges and user interaction.'}] [2]

Compliance Impact

I don't know

Detection Guidance

[{'type': 'paragraph', 'content': "This vulnerability can be detected by testing the behavior of the Custom Report page's single-word search feature in OpenEMR versions prior to 8.0.0.2. Specifically, an authenticated user with encounter form write access can input a payload containing malicious JavaScript (e.g., <img src=x onerror=alert(document.domain)>) into a free-text field of an encounter form. After saving, performing a single-word search on the Custom Report page triggers the execution of the injected script if the system is vulnerable."}, {'type': 'paragraph', 'content': 'To detect the vulnerability, you can perform the following steps:'}, {'type': 'list_item', 'content': 'Log in as an authenticated user with encounter form write permissions.'}, {'type': 'list_item', 'content': 'Insert a test payload such as: routine checkup <img src=x onerror=alert(document.domain)> into a free-text field (e.g., SOAP notes) of an encounter form.'}, {'type': 'list_item', 'content': 'Save the form.'}, {'type': 'list_item', 'content': 'Navigate to the Custom Report page and select the encounter containing the payload.'}, {'type': 'list_item', 'content': 'Perform a single-word search (e.g., "routine") in the report’s Find box.'}, {'type': 'paragraph', 'content': 'If an alert box or similar JavaScript execution occurs, the vulnerability is present.'}] [2]

Mitigation Strategies

The immediate mitigation step is to upgrade OpenEMR to version 8.0.0.2 or later, where this vulnerability is fixed.

The fix involves properly escaping all text fragments in the SearchHighlight plugin before inserting them into the DOM, preventing execution of injected scripts.

Until the upgrade can be applied, consider restricting encounter form write access to trusted users only, as the vulnerability requires authenticated users with such permissions to inject malicious payloads.

Additionally, avoid using the single-word search feature on the Custom Report page or disable it if possible, as multi-word searches use a safe code path.

Chat Assistant
Ask questions about this CVE
Hi! I’m here to help you understand CVE-2026-32119. Ask me anything about the vulnerability, its impact, or mitigation strategies.
0/70
EPSS Chart