CVE-2026-32124
Stored Cross-Site Scripting in OpenEMR Code Picker Endpoint
Publication date: 2026-03-11
Last updated on: 2026-03-13
Assigner: GitHub, Inc.
Description
Description
CVSS Scores
EPSS Scores
| Probability: | |
| Percentile: |
Meta Information
Affected Vendors & Products
| Vendor | Product | Version / Range |
|---|---|---|
| open-emr | openemr | to 8.0.0.1 (exc) |
Helpful Resources
Exploitability
| CWE ID | Description |
|---|---|
| CWE-79 | The product does not neutralize or incorrectly neutralizes user-controllable input before it is placed in output that is used as a web page that is served to other users. |
Attack-Flow Graph
AI Powered Q&A
How can this vulnerability be detected on my network or system? Can you suggest some commands?
I don't know
Can you explain this vulnerability to me?
This vulnerability exists in OpenEMR versions prior to 8.0.0.1. The dynamic code picker AJAX endpoint returns code descriptions that are rendered on the front end without HTML escaping. If an administrator or a user with code management rights creates or edits a code description containing malicious script, that script will execute in the browsers of all users who use the picker.
How can this vulnerability impact me? :
The vulnerability allows malicious scripts to run in the browsers of users who access the affected code picker. This can lead to cross-site scripting (XSS) attacks, potentially compromising user sessions, stealing sensitive information, or performing unauthorized actions on behalf of the user.
How does this vulnerability affect compliance with common standards and regulations (like GDPR, HIPAA)?:
I don't know
What immediate steps should I take to mitigate this vulnerability?
To mitigate this vulnerability, you should upgrade OpenEMR to version 8.0.0.1 or later, where the issue has been fixed.
Additionally, restrict code management rights to trusted administrators only to reduce the risk of malicious code descriptions being created or edited.