CVE-2026-32125
Received Received - Intake
Stored XSS in OpenEMR Track Anything Feature Allows Script Injection

Publication date: 2026-03-11

Last updated on: 2026-03-13

Assigner: GitHub, Inc.

Description
OpenEMR is a free and open source electronic health records and medical practice management application. Prior to 8.0.0.1, track/item names from the Track Anything feature are stored from user input (POST) and later rendered in Dygraph charts (titles/labels) using innerHTML or equivalent without escaping. A user who can create or edit Track Anything items can inject script that runs when any user views the corresponding graph. This vulnerability is fixed in 8.0.0.1.
CVSS Scores
EPSS Scores
Probability:
Percentile:
Meta Information
Published
2026-03-11
Last Modified
2026-03-13
Generated
2026-06-16
AI Q&A
2026-03-11
EPSS Evaluated
2026-06-15
NVD
CVE-2026-32125
EUVD
EUVD-2026-11397
Affected Vendors & Products
Showing 1 associated CPE
Vendor Product Version / Range
open-emr openemr to 8.0.0.1 (exc)
Helpful Resources
Exploitability
CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-79 The product does not neutralize or incorrectly neutralizes user-controllable input before it is placed in output that is used as a web page that is served to other users.
Attack-Flow Graph
AI Quick Actions
Instant insights powered by AI
Executive Summary

This vulnerability exists in OpenEMR versions prior to 8.0.0.1 in the Track Anything feature. Track or item names are taken from user input and later displayed in Dygraph charts as titles or labels without proper escaping. Because these names are rendered using innerHTML or an equivalent method without sanitization, a user who can create or edit Track Anything items can inject malicious scripts. These scripts execute when any user views the corresponding graph.

Compliance Impact

I don't know

Detection Guidance

I don't know

Mitigation Strategies

The vulnerability is fixed in OpenEMR version 8.0.0.1. To mitigate this vulnerability, you should upgrade your OpenEMR installation to version 8.0.0.1 or later.

Impact Analysis

The vulnerability allows an attacker with permission to create or edit Track Anything items to perform cross-site scripting (XSS) attacks. This can lead to the execution of arbitrary scripts in the context of other users viewing the affected graphs. Potential impacts include theft of user credentials, session hijacking, or unauthorized actions performed on behalf of other users.

Chat Assistant
Ask questions about this CVE
Hi! I’m here to help you understand CVE-2026-32125. Ask me anything about the vulnerability, its impact, or mitigation strategies.
0/70
EPSS Chart