CVE-2026-32125
Received Received - Intake
Stored XSS in OpenEMR Track Anything Feature Allows Script Injection

Publication date: 2026-03-11

Last updated on: 2026-03-13

Assigner: GitHub, Inc.

Description
OpenEMR is a free and open source electronic health records and medical practice management application. Prior to 8.0.0.1, track/item names from the Track Anything feature are stored from user input (POST) and later rendered in Dygraph charts (titles/labels) using innerHTML or equivalent without escaping. A user who can create or edit Track Anything items can inject script that runs when any user views the corresponding graph. This vulnerability is fixed in 8.0.0.1.
CVSS Scores
EPSS Scores
Probability:
Percentile:
Meta Information
Published
2026-03-11
Last Modified
2026-03-13
Generated
2026-05-07
AI Q&A
2026-03-11
EPSS Evaluated
2026-05-05
NVD
CVE-2026-32125
EUVD
EUVD-2026-11397
Affected Vendors & Products
Showing 1 associated CPE
Vendor Product Version / Range
open-emr openemr to 8.0.0.1 (exc)
Helpful Resources
Exploitability
CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-79 The product does not neutralize or incorrectly neutralizes user-controllable input before it is placed in output that is used as a web page that is served to other users.
Attack-Flow Graph
AI Powered Q&A
Can you explain this vulnerability to me?

This vulnerability exists in OpenEMR versions prior to 8.0.0.1 in the Track Anything feature. Track or item names are taken from user input and later displayed in Dygraph charts as titles or labels without proper escaping. Because these names are rendered using innerHTML or an equivalent method without sanitization, a user who can create or edit Track Anything items can inject malicious scripts. These scripts execute when any user views the corresponding graph.


How does this vulnerability affect compliance with common standards and regulations (like GDPR, HIPAA)?:

I don't know


How can this vulnerability be detected on my network or system? Can you suggest some commands?

I don't know


What immediate steps should I take to mitigate this vulnerability?

The vulnerability is fixed in OpenEMR version 8.0.0.1. To mitigate this vulnerability, you should upgrade your OpenEMR installation to version 8.0.0.1 or later.


How can this vulnerability impact me? :

The vulnerability allows an attacker with permission to create or edit Track Anything items to perform cross-site scripting (XSS) attacks. This can lead to the execution of arbitrary scripts in the context of other users viewing the affected graphs. Potential impacts include theft of user credentials, session hijacking, or unauthorized actions performed on behalf of other users.


Ask Our AI Assistant
Need more information? Ask your question to get an AI reply (Powered by our expertise)
0/70
EPSS Chart