CVE-2026-32121
Received Received - Intake
Stored XSS in OpenEMR Patient Data Affects Multiple Components

Publication date: 2026-03-11

Last updated on: 2026-03-13

Assigner: GitHub, Inc.

Description
OpenEMR is a free and open source electronic health records and medical practice management application. Prior to 8.0.0.1, Stored XSS in prescription CSS/HTML print view via patient demographics. That finding involves server-side rendering of patient names via raw PHP echo. This finding involves client-side DOM-based rendering via jQuery .html() in a completely different component (portal/sign/assets/signer_api.js). The two share the same root cause (unsanitized patient names in patient_data), but they have different sinks, different affected components, different trigger actions, and require independent fixes. This vulnerability is fixed in 8.0.0.1.
CVSS Scores
EPSS Scores
Probability:
Percentile:
Meta Information
Published
2026-03-11
Last Modified
2026-03-13
Generated
2026-05-07
AI Q&A
2026-03-11
EPSS Evaluated
2026-05-05
NVD
CVE-2026-32121
EUVD
EUVD-2026-11389
Affected Vendors & Products
Showing 1 associated CPE
Vendor Product Version / Range
open-emr openemr to 8.0.0.1 (exc)
Helpful Resources
Exploitability
CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-79 The product does not neutralize or incorrectly neutralizes user-controllable input before it is placed in output that is used as a web page that is served to other users.
Attack-Flow Graph
AI Powered Q&A
Can you explain this vulnerability to me?

[{'type': 'paragraph', 'content': "CVE-2026-32121 is a high-severity stored DOM-based cross-site scripting (XSS) vulnerability in OpenEMR versions prior to 8.0.0.1. It occurs in the portal signature modal component where patient names are rendered on the client side using jQuery's .html() method without proper sanitization."}, {'type': 'paragraph', 'content': 'The vulnerability arises because patient names containing HTML or script content are stored unsanitized in the database, and the patient self-registration flow allows attacker-controlled input to enter the system without validation. The server-side validation function does not sanitize or reject HTML input, and no encoding or sanitization happens before inserting the data into the DOM.'}, {'type': 'paragraph', 'content': 'When a staff member opens the attacker’s patient record and triggers the signature modal, the malicious patient name is rendered using .html(), causing the embedded script to execute in the staff member’s browser.'}] [1]


How can this vulnerability impact me? :

This vulnerability allows an attacker to execute arbitrary JavaScript in the browsers of clinical staff members by injecting malicious code through patient names.

  • It can lead to session hijacking, allowing attackers to take over staff user sessions.
  • It can enable data exfiltration, exposing sensitive patient or clinical data.
  • It may allow unauthorized actions or modification of clinical records.

Exploitation requires patient self-registration to be enabled and staff interaction with the attacker’s patient record, making the attack vector network-based but with high complexity.


How does this vulnerability affect compliance with common standards and regulations (like GDPR, HIPAA)?:

I don't know


How can this vulnerability be detected on my network or system? Can you suggest some commands?

[{'type': 'paragraph', 'content': "This vulnerability can be detected by identifying if your OpenEMR installation is running a version prior to 8.0.0.1 and if patient self-registration is enabled, allowing attacker-controlled input. Specifically, you can check for the presence of the vulnerable JavaScript code in the staff interface, particularly in the file portal/sign/assets/signer_api.js around line 279 where jQuery's .html() method is used to render patient names without sanitization."}, {'type': 'paragraph', 'content': 'To detect exploitation attempts or presence of malicious data, you can query the database for patient names containing suspicious HTML or JavaScript tags, such as <img> tags with onerror attributes.'}, {'type': 'paragraph', 'content': 'Suggested commands include:'}, {'type': 'list_item', 'content': "Check OpenEMR version: `grep 'version' /path/to/openemr/version.php` or check the application UI for version info."}, {'type': 'list_item', 'content': 'Check if patient self-registration is enabled by reviewing OpenEMR configuration files or admin settings.'}, {'type': 'list_item', 'content': "Search the database for patient names containing HTML tags (example for MySQL): `SELECT id, fname, lname FROM patient_data WHERE fname LIKE '%<%' OR lname LIKE '%<%';`"}, {'type': 'list_item', 'content': "Inspect the JavaScript file for vulnerable code: `grep -n '.html(' /path/to/openemr/portal/sign/assets/signer_api.js`"}] [1]


What immediate steps should I take to mitigate this vulnerability?

The immediate and most effective mitigation is to upgrade OpenEMR to version 8.0.0.1 or later, where this vulnerability has been fixed.

If upgrading immediately is not possible, consider the following interim mitigations:

  • Disable patient self-registration to prevent attacker-controlled input from entering the database.
  • Manually sanitize or remove any patient names in the database that contain HTML or JavaScript code.
  • Restrict staff access to patient records that might contain malicious data until the issue is resolved.
  • Review and enhance Content-Security-Policy headers to restrict inline scripts and event handlers, although this alone will not fully mitigate the vulnerability.

Ask Our AI Assistant
Need more information? Ask your question to get an AI reply (Powered by our expertise)
0/70
EPSS Chart