CVE-2026-32124 - Vulnerability Details

- OpenEMR: Dynamic Code Picker Renders Unescaped Descriptions (Stored XSS)

Description

OpenEMR is a free and open source electronic health records and medical practice management application. Prior to 8.0.0.1, the dynamic code picker AJAX endpoint returns code descriptions (code_text) that are rendered in the front end (e.g. DataTables) without HTML escaping. If an administrator (or user with code management rights) creates or edits a code with a malicious description containing script, that script runs in the browser of every user who uses the picker. This vulnerability is fixed in 8.0.0.1.

Published: 2026-03-11

Score: 5.4 Medium

EPSS: < 1% Very Low

KEV: No

Impact:

Action:

Analysis

Impact

This vulnerability allows a malicious code description to be stored in the database and rendered by the dynamic code picker endpoint without HTML escaping. An attacker who can create or edit a code—typically an administrator or a user with code‑management rights—can inject arbitrary JavaScript. When any user opens the picker, the script executes in their browser, enabling phishing attacks, credential theft, or session hijacking.

Affected Systems

OpenEMR versions earlier than 8.0.0.1 are affected. The issue arises in the AJAX endpoint that returns code_text for code pickers used in many parts of the application. The fix was implemented in OpenEMR 8.0.0.1.

Risk and Exploitability

The CVSS score is 5.4, indicating moderate severity. EPSS is under 1 %, suggesting exploitation is currently unlikely, and the vulnerability is not listed in CISA’s KEV catalog. Exploitation requires authenticated access to the code‑management interface; unauthenticated users cannot inject payloads. Therefore the threat is confined to environments where privileged users are compromised or maliciously enabled.

Default status is the baseline for the product, each version can override it (e.g. patched versions marked unaffected).

Vendor Product Default status Versions

openemr

affected

Version	Status	Constraints
`< 8.0.0.1`	affected	—

Configuration 1 [-]

cpe:2.3:a:open-emr:openemr:*:*:*:*:*:*:*:*

No data.

Vendor Product Confidence Versions

Openemr

100%

Version	Status	Scheme	Platform
`[0,8.0.0.1)`	affected	generic	—

Found an issue or want to improve our Enrichment? You can suggest it directly by opening an issue on our dedicated GitHub repository .

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

Upgrade to OpenEMR 8.0.0.1 or later to eliminate the stored XSS flaw.
Invalidate any cached or stored code picker data that may contain old malicious descriptions to prevent residual attacks during transition.
Restrict the ability to create or edit code descriptions to highly trusted administrators and audit these privileges regularly.
Implement a Content‑Security‑Policy that disallows inline scripts, providing an additional safety net if the bug is inadvertently re‑introduced.

Generated by OpenCVE AI on April 16, 2026 at 02:59 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

No CVSS v4.0

Attack Vector Network

Attack Complexity Low

Privileges Required Low

Scope Changed

Confidentiality Impact Low

Integrity Impact Low

Availability Impact None

User Interaction Required

No CVSS v3.0

No CVSS v2

This CVE is not in the KEV list.

The EPSS score is 0.00045.

Exploitation poc

Automatable no

Technical Impact partial

References

Link	Providers
https://github.com/openemr/openemr/security/advisories/GHSA-9hw7-22mr-qhfc

History

Fri, 13 Mar 2026 16:00:00 +0000

Type	Values Removed	Values Added
First Time appeared		Open-emr Open-emr openemr
CPEs		cpe:2.3:a:open-emr:openemr::::::::
Vendors & Products		Open-emr Open-emr openemr

Thu, 12 Mar 2026 15:15:00 +0000

Type	Values Removed	Values Added
Metrics		ssvc `{'options': {'Automatable': 'no', 'Exploitation': 'poc', 'Technical Impact': 'partial'}, 'version': '2.0.3'}`

Thu, 12 Mar 2026 10:15:00 +0000

Type	Values Removed	Values Added
First Time appeared		Openemr Openemr openemr
Vendors & Products		Openemr Openemr openemr

Wed, 11 Mar 2026 21:15:00 +0000

Type	Values Removed	Values Added
Description		OpenEMR is a free and open source electronic health records and medical practice management application. Prior to 8.0.0.1, the dynamic code picker AJAX endpoint returns code descriptions (code_text) that are rendered in the front end (e.g. DataTables) without HTML escaping. If an administrator (or user with code management rights) creates or edits a code with a malicious description containing script, that script runs in the browser of every user who uses the picker. This vulnerability is fixed in 8.0.0.1.
Title		OpenEMR: Dynamic Code Picker Renders Unescaped Descriptions (Stored XSS)
Weaknesses		CWE-79
References		https://github.com/openemr/openemr/security/advisories/GHSA-9hw7-22mr-qhfc
Metrics		cvssV3_1 `{'score': 5.4, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N'}`

Subscriptions

Open-emr Openemr

Openemr Openemr

MITRE

Status: PUBLISHED

Assigner: GitHub_M

Published: 2026-03-11T20:50:41.372Z

Updated: 2026-03-12T14:12:43.517Z

Reserved: 2026-03-10T22:19:36.545Z

Link: CVE-2026-32124

Vulnrichment

Updated: 2026-03-12T14:12:38.693Z

NVD

Status : Analyzed

Published: 2026-03-11T21:16:18.353

Modified: 2026-03-13T15:47:23.440

Link: CVE-2026-32124

Redhat

No data.

OpenCVE Enrichment

Updated: 2026-04-16T03:00:09Z

Weaknesses

CWE-79

Impact

Affected Systems

Risk and Exploitability

Tracking

Attack Vector Network

Attack Complexity Low

Privileges Required Low

Scope Changed

Confidentiality Impact Low

Integrity Impact Low

Availability Impact None

User Interaction Required

Exploitation poc

Automatable no

Technical Impact partial

Subscriptions

JSON object

JSON object

JSON object

JSON object

JSON object