Description
OpenEMR is a free and open source electronic health records and medical practice management application. Prior to 8.0.0.1, track/item names from the Track Anything feature are stored from user input (POST) and later rendered in Dygraph charts (titles/labels) using innerHTML or equivalent without escaping. A user who can create or edit Track Anything items can inject script that runs when any user views the corresponding graph. This vulnerability is fixed in 8.0.0.1.
Published: 2026-03-11
Score: 5.4 Medium
EPSS: < 1% Very Low
KEV: No
Impact: Stored Cross‑Site Scripting (XSS) in Chart Titles
Action: Patch
AI Analysis

Impact

OpenEMR stores user supplied track names from the Track Anything feature without escaping them, and these names are later rendered in Dygraph charts using innerHTML or equivalent. This allows an attacker with the ability to create or edit items to inject script that runs in the browser of any user who views the corresponding graph. The vulnerability can lead to execution of arbitrary JavaScript, potentially enabling session hijacking, data theft or phishing. The weakness is categorized as CWE-79.

Affected Systems

The issue exists in OpenEMR versions prior to 8.0.0.1. All installations running any release before that patch are affected; the fix is applied in OpenEMR 8.0.0.1 and later.

Risk and Exploitability

The CVSS base score is 5.4, indicating moderate severity. The EPSS score is below 1 %, suggesting low probability of exploitation in the wild. The vulnerability is not listed in the CISA KEV catalog. Exploitation requires an attacker to have write access to Track Anything items and then a victim to view the graph, making it a stored XSS that can be triggered by any user who views the chart after the payload is stored. Given the moderate score and low exploit likelihood, the risk is considered moderate but should be mitigated promptly.

Generated by OpenCVE AI on March 17, 2026 at 16:21 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Upgrade OpenEMR to version 8.0.0.1 or later.

Generated by OpenCVE AI on March 17, 2026 at 16:21 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Fri, 13 Mar 2026 16:00:00 +0000

Type Values Removed Values Added
First Time appeared Open-emr
Open-emr openemr
CPEs cpe:2.3:a:open-emr:openemr:*:*:*:*:*:*:*:*
Vendors & Products Open-emr
Open-emr openemr

Thu, 12 Mar 2026 15:15:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'poc', 'Technical Impact': 'partial'}, 'version': '2.0.3'}

Thu, 12 Mar 2026 10:15:00 +0000

Type Values Removed Values Added
First Time appeared Openemr
Openemr openemr
Vendors & Products Openemr
Openemr openemr

Wed, 11 Mar 2026 21:15:00 +0000

Type Values Removed Values Added
Description OpenEMR is a free and open source electronic health records and medical practice management application. Prior to 8.0.0.1, track/item names from the Track Anything feature are stored from user input (POST) and later rendered in Dygraph charts (titles/labels) using innerHTML or equivalent without escaping. A user who can create or edit Track Anything items can inject script that runs when any user views the corresponding graph. This vulnerability is fixed in 8.0.0.1.
Title OpenEMR: Stored XSS in Track Anything Graphs via Unescaped Dygraph Titles/Labels
Weaknesses CWE-79
References
Metrics cvssV3_1

{'score': 5.4, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N'}

Subscriptions

Open-emr Openemr
Openemr Openemr
cve-icon MITRE

Status: PUBLISHED

Assigner: GitHub_M

Published:

Updated: 2026-03-12T14:13:44.208Z

Reserved: 2026-03-10T22:19:36.545Z

Link: CVE-2026-32125

cve-icon Vulnrichment

Updated: 2026-03-12T14:13:38.278Z

cve-icon NVD

Status : Analyzed

Published: 2026-03-11T21:16:18.540

Modified: 2026-03-13T15:47:01.130

Link: CVE-2026-32125

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-03-20T15:37:00Z

Weaknesses