Description
OpenEMR is a free and open source electronic health records and medical practice management application. Prior to version 8.0.0.3, the POST parameter `title` is reflected back in a JSON response built with `json_encode()`. Because the response is served with a `text/html` Content-Type, the browser interprets injected HTML/script tags rather than treating the output as JSON. An authenticated attacker can craft a request that executes arbitrary JavaScript in a victim's session. Version 8.0.0.3 contains a fix.
Published: 2026-03-25
Score: 5.4 Medium
EPSS: < 1% Very Low
KEV: No
Impact: Reflected Cross‑Site Scripting via title parameter
Action: Apply Patch
AI Analysis

Impact

OpenEMR’s graphs.php endpoint reflected the POST parameter title back in a JSON response that was served as text/html, allowing an attacker to inject arbitrary JavaScript that would run in the context of an authenticated user’s session. The flaw is a reflected cross‑site scripting vulnerability that can compromise confidentiality and integrity by executing code with the victim’s privileges.

Affected Systems

The flaw affects legacy releases of the OpenEMR electronic health records platform, specifically any version prior to 8.0.0.3. The product is free and widely deployed for medical practice management.

Risk and Exploitability

The CVSS score of 5.4 indicates moderate severity, and the EPSS score is below 1%, suggesting low current exploitation probability. The vulnerability is not listed in the CISA KEV catalog. Exploitation requires authentication to the application and the ability to send a crafted POST request to graphs.php; there are no known publicly available exploits at this time.

Generated by OpenCVE AI on March 26, 2026 at 17:28 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Update OpenEMR to version 8.0.0.3 or later, which removes the reflected title parameter from the response.
  • If an upgrade cannot be performed immediately, isolate the affected endpoint so only trusted users can access it and enforce strict input validation or sanitization on the title field.
  • Deploy a web application firewall rule to block script tags or other malicious payloads injected into the title parameter until a patch is applied.
  • Verify functionality after applying the patch to ensure the JSON response is served with a proper application/json Content-Type and that the title parameter is no longer reflected.

Generated by OpenCVE AI on March 26, 2026 at 17:28 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Thu, 26 Mar 2026 16:30:00 +0000

Type Values Removed Values Added
First Time appeared Open-emr
Open-emr openemr
CPEs cpe:2.3:a:open-emr:openemr:*:*:*:*:*:*:*:*
Vendors & Products Open-emr
Open-emr openemr

Thu, 26 Mar 2026 15:15:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'partial'}, 'version': '2.0.3'}

Thu, 26 Mar 2026 12:00:00 +0000

Type Values Removed Values Added
First Time appeared Openemr
Openemr openemr
Vendors & Products Openemr
Openemr openemr

Wed, 25 Mar 2026 23:00:00 +0000

Type Values Removed Values Added
Description OpenEMR is a free and open source electronic health records and medical practice management application. Prior to version 8.0.0.3, the POST parameter `title` is reflected back in a JSON response built with `json_encode()`. Because the response is served with a `text/html` Content-Type, the browser interprets injected HTML/script tags rather than treating the output as JSON. An authenticated attacker can craft a request that executes arbitrary JavaScript in a victim's session. Version 8.0.0.3 contains a fix.
Title OpenEMR vulnerable to reflected XSS in graphs.php via title parameter
Weaknesses CWE-79
References
Metrics cvssV3_1

{'score': 5.4, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N'}

Subscriptions

Open-emr Openemr
Openemr Openemr
cve-icon MITRE

Status: PUBLISHED

Assigner: GitHub_M

Published:

Updated: 2026-03-26T15:02:49.257Z

Reserved: 2026-03-24T15:41:47.492Z

Link: CVE-2026-33911

cve-icon Vulnrichment

Updated: 2026-03-26T14:44:36.528Z

cve-icon NVD

Status : Analyzed

Published: 2026-03-25T23:17:10.337

Modified: 2026-03-26T16:23:28.140

Link: CVE-2026-33911

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-03-27T09:29:27Z

Weaknesses