Stored XSS in OpenEMR Patient Portal via Multi-Print Feature

Executive Summary

CVE-2026-46518 is a stored cross-site scripting (XSS) vulnerability in OpenEMR versions prior to 8.0.0.1, specifically in the prescription CSS/HTML multi-print feature.

The vulnerability occurs because patient demographic fields such as name and address are rendered without proper output encoding in the multiprintcss_header() function.

A patient portal user can exploit this by injecting malicious JavaScript into their own patient data via the PUT api/patient/:num endpoint, which bypasses the intended audit review workflow.

When a clinician uses the CSS/HTML multi-print option for the patient's prescription, the injected script executes in the clinician's authenticated browser session.

This allows the attacker to access CSRF tokens, session data, and perform actions as the clinician, effectively crossing the patient-to-clinician trust boundary.

Useful 0 Not Useful 0

Impact Analysis

This vulnerability can have serious impacts if exploited.

• An attacker with patient portal access can inject malicious scripts that execute in a clinician's session.
• The attacker can steal CSRF tokens and session data, potentially hijacking the clinician's session.
• The attacker can perform unauthorized actions as the clinician, which may include accessing or modifying sensitive medical records.
• This breaks the trust boundary between patient and clinician, potentially leading to data breaches and unauthorized system control.

Useful 0 Not Useful 0

Detection Guidance

Detection of this vulnerability involves identifying if patient portal users have injected malicious JavaScript into patient demographic fields via the PUT api/patient/:num endpoint.

One approach is to monitor or log API calls to the PUT api/patient/:num endpoint for unusual or suspicious input containing HTML or JavaScript code.

Additionally, inspecting the stored patient demographic data for embedded scripts or HTML tags can help detect exploitation attempts.

Network commands or queries could include searching web server logs for PUT requests to api/patient/ endpoints with payloads containing script tags or suspicious HTML.

For example, using grep on server logs: `grep -i 'PUT /api/patient/' /var/log/openemr/access.log | grep -E '<script|<.*onerror|<.*onload'` to find potential script injections.

Useful 0 Not Useful 0

Mitigation Strategies

The primary mitigation step is to upgrade OpenEMR to version 8.0.0.1 or later, where this vulnerability has been patched.

Until the upgrade can be applied, restrict patient portal users' ability to modify demographic fields or disable the CSS/HTML multi-print feature to prevent execution of injected scripts.

Implement monitoring of API usage to detect and block suspicious PUT requests to the patient data endpoint.

Educate clinicians to avoid using the vulnerable multi-print option until the patch is applied.

Useful 0 Not Useful 0

Compliance Impact

The vulnerability allows a patient portal user to execute arbitrary JavaScript in a clinician's authenticated session, potentially exposing sensitive patient data such as demographic information and session tokens. This cross-site scripting (XSS) flaw bypasses audit review workflows and enables unauthorized actions as the clinician, which could lead to unauthorized access or modification of protected health information (PHI).

Such unauthorized access and potential data exposure can negatively impact compliance with regulations like HIPAA, which mandates the protection of patient health information and requires safeguards against unauthorized access. Similarly, GDPR requires strict controls over personal data processing and breach prevention. This vulnerability undermines these controls by allowing attackers to exploit trust boundaries and access sensitive data.

Useful 0 Not Useful 0