CVE-2026-32124
Received Received - Intake
Stored Cross-Site Scripting in OpenEMR Code Picker Endpoint

Publication date: 2026-03-11

Last updated on: 2026-03-13

Assigner: GitHub, Inc.

Description
OpenEMR is a free and open source electronic health records and medical practice management application. Prior to 8.0.0.1, the dynamic code picker AJAX endpoint returns code descriptions (code_text) that are rendered in the front end (e.g. DataTables) without HTML escaping. If an administrator (or user with code management rights) creates or edits a code with a malicious description containing script, that script runs in the browser of every user who uses the picker. This vulnerability is fixed in 8.0.0.1.
CVSS Scores
EPSS Scores
Probability:
Percentile:
Meta Information
Published
2026-03-11
Last Modified
2026-03-13
Generated
2026-06-16
AI Q&A
2026-03-11
EPSS Evaluated
2026-06-15
NVD
CVE-2026-32124
EUVD
EUVD-2026-11395
Affected Vendors & Products
Showing 1 associated CPE
Vendor Product Version / Range
open-emr openemr to 8.0.0.1 (exc)
Helpful Resources
Exploitability
CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-79 The product does not neutralize or incorrectly neutralizes user-controllable input before it is placed in output that is used as a web page that is served to other users.
Attack-Flow Graph
AI Quick Actions
Instant insights powered by AI
Detection Guidance

I don't know

Executive Summary

This vulnerability exists in OpenEMR versions prior to 8.0.0.1. The dynamic code picker AJAX endpoint returns code descriptions that are rendered on the front end without HTML escaping. If an administrator or a user with code management rights creates or edits a code description containing malicious script, that script will execute in the browsers of all users who use the picker.

Impact Analysis

The vulnerability allows malicious scripts to run in the browsers of users who access the affected code picker. This can lead to cross-site scripting (XSS) attacks, potentially compromising user sessions, stealing sensitive information, or performing unauthorized actions on behalf of the user.

Compliance Impact

I don't know

Mitigation Strategies

To mitigate this vulnerability, you should upgrade OpenEMR to version 8.0.0.1 or later, where the issue has been fixed.

Additionally, restrict code management rights to trusted administrators only to reduce the risk of malicious code descriptions being created or edited.

Chat Assistant
Ask questions about this CVE
Hi! I’m here to help you understand CVE-2026-32124. Ask me anything about the vulnerability, its impact, or mitigation strategies.
0/70
EPSS Chart