Description
OpenEMR is a free and open source electronic health records and medical practice management application. Prior to 8.0.0.1, stored cross-site scripting (XSS) in the Graphical Pain Map ("clickmap") form allows any authenticated clinician to inject arbitrary JavaScript that executes in the browser of every subsequent user who views the affected encounter form. Because session cookies are not marked HttpOnly, this enables full session hijacking of other users, including administrators. This vulnerability is fixed in 8.0.0.1.
Published: 2026-03-11
Score: 5.4 Medium
EPSS: < 1% Very Low
KEV: No
Impact: Stored XSS leading to session hijacking
Action: Immediate Patch
AI Analysis

Impact

Prior to OpenEMR version 8.0.0.1, any authenticated clinician can insert arbitrary JavaScript into the annotation text of the Graphical Pain Map legend. When other users view the encounter form, the injected script executes in their browsers. Because the session cookies are not marked HttpOnly, an attacker can hijack the session of any subsequent viewer, including administrative users. This enables a breach of confidentiality, integrity, and availability through credential theft and unauthorized actions within the application.

Affected Systems

The vulnerability affects OpenEMR releases before 8.0.0.1. All installations of the openemr:openemr product that have not applied the 8.0.0.1 fix are susceptible.

Risk and Exploitability

The CVSS score of 5.4 indicates a medium severity. The EPSS score of less than 1% suggests that, so far, exploitation is unlikely to be widespread. The vulnerability is not listed in CISA’s KEV catalog. Exploitation requires an authenticated clinician account with access to the Graphical Pain Map, but once a credential is used, the impact can be immediate and broad across all users who view the affected encounter.

Generated by OpenCVE AI on March 17, 2026 at 16:22 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Apply OpenEMR patch to upgrade to release 8.0.0.1 or later

Generated by OpenCVE AI on March 17, 2026 at 16:22 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Fri, 13 Mar 2026 16:00:00 +0000

Type Values Removed Values Added
First Time appeared Open-emr
Open-emr openemr
CPEs cpe:2.3:a:open-emr:openemr:*:*:*:*:*:*:*:*
Vendors & Products Open-emr
Open-emr openemr

Thu, 12 Mar 2026 14:15:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'poc', 'Technical Impact': 'partial'}, 'version': '2.0.3'}

Thu, 12 Mar 2026 10:15:00 +0000

Type Values Removed Values Added
First Time appeared Openemr
Openemr openemr
Vendors & Products Openemr
Openemr openemr

Wed, 11 Mar 2026 21:00:00 +0000

Type Values Removed Values Added
Description OpenEMR is a free and open source electronic health records and medical practice management application. Prior to 8.0.0.1, stored cross-site scripting (XSS) in the Graphical Pain Map ("clickmap") form allows any authenticated clinician to inject arbitrary JavaScript that executes in the browser of every subsequent user who views the affected encounter form. Because session cookies are not marked HttpOnly, this enables full session hijacking of other users, including administrators. This vulnerability is fixed in 8.0.0.1.
Title OpenEMR has Stored XSS in Graphical Pain Map legend via unescaped annotation text
Weaknesses CWE-79
References
Metrics cvssV3_1

{'score': 5.4, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N'}

Subscriptions

Open-emr Openemr
Openemr Openemr
cve-icon MITRE

Status: PUBLISHED

Assigner: GitHub_M

Published:

Updated: 2026-03-12T14:06:49.980Z

Reserved: 2026-03-10T22:02:38.855Z

Link: CVE-2026-32118

cve-icon Vulnrichment

Updated: 2026-03-12T14:06:44.703Z

cve-icon NVD

Status : Analyzed

Published: 2026-03-11T21:16:17.630

Modified: 2026-03-13T15:49:56.083

Link: CVE-2026-32118

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-03-20T15:37:04Z

Weaknesses