Description
OpenEMR is a free and open source electronic health records and medical practice management application. Prior to version 8.0.0, users with the "Forms administration" role can fill questionnaires ("forms") in patient encounters. The answers to the forms are displayed on the encounter page and in the visit history for the users with the same role. There exists a stored cross-site scripting (XSS) vulnerability in the function to display the form answers, allowing any authenticated attacker with the specific role to insert arbitrary JavaScript into the system by entering malicious payloads to the form answers. The JavaScript code is later executed by any user with the form role when viewing the form answers in the patient encounter pages or visit history. Version 8.0.0 fixes the issue.
Published: 2026-02-25
Score: 7.2 High
EPSS: < 1% Very Low
KEV: No
Impact: Stored cross‑site scripting enabling arbitrary JavaScript execution for users with the Forms administration role
Action: Patch
AI Analysis

Impact

OpenEMR stores questionnaire answers. Prior to version 8.0.0, any user who holds the Forms administration role can enter data into these answers. The application displays those answers on encounter and visit‑history pages without sanitizing the content, so a malicious payload entered by that role is rendered as script and executed in the browsers of any other user who views the page. This flaw is a stored XSS, classified as CWE‑79, and provides an attacker with the role the ability to run arbitrary JavaScript in victims’ browsers.

Affected Systems

All OpenEMR installations older than version 8.0.0 are affected. The flaw resides in the core code that renders questionnaire answers and applies only to users entitled to the Forms administration role. No specific sub‑module is listed as affected, and the vendor is OpenEMR.

Risk and Exploitability

The CVSS score of 7.2 indicates a medium‑high impact. The EPSS score of less than 1 % suggests a low probability of public exploitation at this time, and the vulnerability is not listed in the CISA KEV catalog. An attacker must be authenticated with the Forms administration role to insert malicious content; once stored, any user with the same role who views the page will have the script executed, creating a risk that depends on the number of users with that role.

Generated by OpenCVE AI on April 18, 2026 at 10:38 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Upgrade OpenEMR to version 8.0.0 or later to remove the unsanitized rendering of questionnaire answers
  • Limit the Forms administration role to trusted, audited users to reduce the number of users who can inject or view malicious content
  • Inspect existing questionnaire answers for embedded scripts and remove any suspicious entries

Generated by OpenCVE AI on April 18, 2026 at 10:38 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Fri, 27 Feb 2026 14:45:00 +0000

Type Values Removed Values Added
First Time appeared Open-emr
Open-emr openemr
CPEs cpe:2.3:a:open-emr:openemr:*:*:*:*:*:*:*:*
Vendors & Products Open-emr
Open-emr openemr
Metrics cvssV3_1

{'score': 4.8, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:H/UI:R/S:C/C:L/I:L/A:N'}

Thu, 26 Feb 2026 13:30:00 +0000

Type Values Removed Values Added
First Time appeared Openemr
Openemr openemr
Vendors & Products Openemr
Openemr openemr

Wed, 25 Feb 2026 19:15:00 +0000

Type Values Removed Values Added
Description OpenEMR is a free and open source electronic health records and medical practice management application. Prior to version 8.0.0, users with the "Forms administration" role can fill questionnaires ("forms") in patient encounters. The answers to the forms are displayed on the encounter page and in the visit history for the users with the same role. There exists a stored cross-site scripting (XSS) vulnerability in the function to display the form answers, allowing any authenticated attacker with the specific role to insert arbitrary JavaScript into the system by entering malicious payloads to the form answers. The JavaScript code is later executed by any user with the form role when viewing the form answers in the patient encounter pages or visit history. Version 8.0.0 fixes the issue.
Title OpenEMR has Stored XSS in Questionnaire answers
Weaknesses CWE-79
References
Metrics cvssV4_0

{'score': 7.2, 'vector': 'CVSS:4.0/AV:N/AC:H/AT:N/PR:H/UI:P/VC:H/VI:H/VA:N/SC:N/SI:N/SA:N'}

Subscriptions

Open-emr Openemr
Openemr Openemr
cve-icon MITRE

Status: PUBLISHED

Assigner: GitHub_M

Published:

Updated: 2026-02-26T20:53:59.221Z

Reserved: 2026-02-05T16:48:00.428Z

Link: CVE-2026-25743

cve-icon Vulnrichment

No data.

cve-icon NVD

Status : Analyzed

Published: 2026-02-25T19:43:22.343

Modified: 2026-02-27T14:40:33.713

Link: CVE-2026-25743

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-04-18T10:45:43Z

Weaknesses