Description
OpenEMR is a free and open source electronic health records and medical practice management application. Prior to 8.0.0.2, DOM-based stored XSS in the jQuery SearchHighlight plugin (`library/js/SearchHighlight.js`) allows an authenticated user with encounter form write access to inject arbitrary JavaScript that executes in another clinician's browser session when they use the search/find feature on the Custom Report page. The plugin reverses server-side HTML entity encoding by reading decoded text from DOM text nodes, concatenating it into a raw HTML string, and passing it to jQuery's `$()` constructor for HTML parsing. Version 8.0.0.2 fixes the issue.
Published: 2026-03-19
Score: 4.4 Medium
EPSS: < 1% Very Low
KEV: No
Impact: Stored DOM XSS
Action: Patch
AI Analysis

Impact

OpenEMR versions before 8.0.0.2 allow an authenticated user who can write encounter forms to store data that, when a clinician uses the search feature on the Custom Report page, is reconstructed as raw HTML by the SearchHighlight plugin and passes it to jQuery’s $ constructor. This process executes embedded JavaScript in the victim’s browser, giving the attacker the ability to run scripts with the victim’s privileges. The description does not specify any additional capabilities beyond script execution.

Affected Systems

All OpenEMR releases prior to 8.0.0.2 are affected. The vulnerability requires an authenticated user with encounter form write permission and a victim who uses the Custom Report search function. The issue is isolated to the SearchHighlight.js plugin within the OpenEMR application.

Risk and Exploitability

The CVSS base score of 4.4 indicates low severity. EPSS is below 1%, suggesting exploitation is unlikely. The vulnerability is not listed in the KEV catalog. Based on the description, the likely attack vector involves the Custom Report search feature accessed by an authenticated user, and the impact is confined to client‑side script execution within the same OpenEMR instance. No information is provided about further consequences such as data exfiltration or privilege escalation, so those aspects remain unspecified.

Generated by OpenCVE AI on March 20, 2026 at 18:23 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Upgrade OpenEMR to version 8.0.0.2 or later to eliminate the vulnerability.
  • Restrict encounter‑form write permissions to trusted staff to reduce the opportunity for malicious input.
  • If an upgrade cannot be applied immediately, disable or remove the SearchHighlight.js plugin to prevent the XSS from being triggered.

Generated by OpenCVE AI on March 20, 2026 at 18:23 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Fri, 20 Mar 2026 16:30:00 +0000

Type Values Removed Values Added
First Time appeared Open-emr
Open-emr openemr
CPEs cpe:2.3:a:open-emr:openemr:*:*:*:*:*:*:*:*
Vendors & Products Open-emr
Open-emr openemr

Fri, 20 Mar 2026 09:00:00 +0000

Type Values Removed Values Added
First Time appeared Openemr
Openemr openemr
Vendors & Products Openemr
Openemr openemr

Thu, 19 Mar 2026 21:15:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'poc', 'Technical Impact': 'partial'}, 'version': '2.0.3'}

Thu, 19 Mar 2026 20:00:00 +0000

Type Values Removed Values Added
Description OpenEMR is a free and open source electronic health records and medical practice management application. Prior to 8.0.0.2, DOM-based stored XSS in the jQuery SearchHighlight plugin (`library/js/SearchHighlight.js`) allows an authenticated user with encounter form write access to inject arbitrary JavaScript that executes in another clinician's browser session when they use the search/find feature on the Custom Report page. The plugin reverses server-side HTML entity encoding by reading decoded text from DOM text nodes, concatenating it into a raw HTML string, and passing it to jQuery's `$()` constructor for HTML parsing. Version 8.0.0.2 fixes the issue.
Title OpenEMR has Stored DOM XSS via SearchHighlight text-node reconstruction on Custom Report page
Weaknesses CWE-79
References
Metrics cvssV3_1

{'score': 4.4, 'vector': 'CVSS:3.1/AV:N/AC:H/PR:L/UI:R/S:C/C:L/I:L/A:N'}

Subscriptions

Open-emr Openemr
Openemr Openemr
cve-icon MITRE

Status: PUBLISHED

Assigner: GitHub_M

Published:

Updated: 2026-03-19T20:39:26.670Z

Reserved: 2026-03-10T22:19:36.544Z

Link: CVE-2026-32119

cve-icon Vulnrichment

Updated: 2026-03-19T20:39:17.940Z

cve-icon NVD

Status : Analyzed

Published: 2026-03-19T20:16:13.900

Modified: 2026-03-20T16:20:15.460

Link: CVE-2026-32119

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-03-25T11:55:11Z

Weaknesses