Description
OpenEMR is a free and open source electronic health records and medical practice management application. Prior to version 8.0.0, the `xl()` translation function returns unescaped strings. While wrapper functions exist for escaping in different contexts (`xlt()` for HTML, `xla()` for attributes, `xlj()` for JavaScript), there are places in the codebase where `xl()` output is used directly without escaping. If an attacker could insert malicious content into the translation database, these unescaped outputs could lead to XSS. Version 8.0.0 fixes the issue.
Published: 2026-02-25
Score: 1.2 Low
EPSS: < 1% Very Low
KEV: No
Impact: Cross-Site Scripting
Action: Patch
AI Analysis

Impact

OpenEMR allows inconsistent escaping of translation function output. The xl() function returns raw strings from the translation database. While wrapper functions exist for escaping in specific contexts, certain code paths use xl() directly, leading to potential cross-site scripting if an attacker can insert malicious content into the translations. The vulnerability would allow execution of arbitrary client-side scripts when a victim views translated content.

Affected Systems

Affects the openemr openemr application prior to version 8.0.0. The issue was fixed in release 8.0.0, so any installation running an older major version is vulnerable. The vulnerability applies to all deployments that use the default translation mechanisms.

Risk and Exploitability

The CVSS score of 1.2 classifies the vulnerability as low. EPSS indicates a probability of less than 1 %, and it is not listed in the CISA KEV catalog, suggesting that exploitation is currently rare. However, the attack would require an attacker to be able to insert or modify translation entries, which might be achievable through an administrative interface or compromised database access. If that capability exists, the exploitation path would involve an attacker adding malicious markup to a translation entry, which then gets rendered unescaped in the web interface, causing script execution in the victim’s browser.

Generated by OpenCVE AI on April 17, 2026 at 15:35 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Upgrade OpenEMR to version 8.0.0 or later to apply the fixed escaping logic.
  • If an upgrade cannot be performed immediately, restrict write access to the translation database and disable or lock translation editing functionality for non-trusted users.
  • As a temporary workaround, audit existing translations for unescaped content or enforce server-side escaping using the xlt(), xla(), or xlj() wrappers before outputting translation strings.

Generated by OpenCVE AI on April 17, 2026 at 15:35 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Thu, 26 Feb 2026 15:45:00 +0000

Type Values Removed Values Added
First Time appeared Open-emr
Open-emr openemr
CPEs cpe:2.3:a:open-emr:openemr:*:*:*:*:*:*:*:*
Vendors & Products Open-emr
Open-emr openemr
Metrics cvssV3_1

{'score': 6.1, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N'}

Wed, 25 Feb 2026 22:15:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'partial'}, 'version': '2.0.3'}

Wed, 25 Feb 2026 12:00:00 +0000

Type Values Removed Values Added
First Time appeared Openemr
Openemr openemr
Vendors & Products Openemr
Openemr openemr

Wed, 25 Feb 2026 02:00:00 +0000

Type Values Removed Values Added
Description OpenEMR is a free and open source electronic health records and medical practice management application. Prior to version 8.0.0, the `xl()` translation function returns unescaped strings. While wrapper functions exist for escaping in different contexts (`xlt()` for HTML, `xla()` for attributes, `xlj()` for JavaScript), there are places in the codebase where `xl()` output is used directly without escaping. If an attacker could insert malicious content into the translation database, these unescaped outputs could lead to XSS. Version 8.0.0 fixes the issue.
Title OpenEMR allows inconsistent escaping of translation function output
Weaknesses CWE-116
References
Metrics cvssV4_0

{'score': 1.2, 'vector': 'CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:P/VC:N/VI:N/VA:N/SC:L/SI:L/SA:N/E:U'}

Subscriptions

Open-emr Openemr
Openemr Openemr
cve-icon MITRE

Status: PUBLISHED

Assigner: GitHub_M

Published:

Updated: 2026-02-25T21:15:31.995Z

Reserved: 2025-12-29T03:00:29.276Z

Link: CVE-2026-21443

cve-icon Vulnrichment

Updated: 2026-02-25T21:15:14.616Z

cve-icon NVD

Status : Analyzed

Published: 2026-02-25T02:16:21.863

Modified: 2026-02-26T15:34:11.743

Link: CVE-2026-21443

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-04-17T15:45:15Z

Weaknesses