CVE-2026-32124

  1. OpenCVE
  2. Vulnerabilities (CVE)
  3. CVE-2026-32124
OpenEMR is a free and open source electronic health records and medical practice management application. Prior to 8.0.0.1, the dynamic code picker AJAX endpoint returns code descriptions (code_text) that are rendered in the front end (e.g. DataTables) without HTML escaping. If an administrator (or user with code management rights) creates or edits a code with a malicious description containing script, that script runs in the browser of every user who uses the picker. This vulnerability is fixed in 8.0.0.1.

5.4 /10

CVSS v3 : MEDIUM

V3 Legend

Vector :

Exploitability : 2.3 / Impact : 2.7

Attack Vector NETWORK

Attack Complexity LOW

Privileges Required LOW

User Interaction REQUIRED

Confidentiality Impact LOW

Integrity Impact LOW

Availability Impact NONE

Scope CHANGED

References
Link Resource
https://github.com/openemr/openemr/security/advisories/GHSA-9hw7-22mr-qhfc Exploit Vendor Advisory
Configurations

Configuration 1 (hide)

cpe:2.3:a:open-emr:openemr:*:*:*:*:*:*:*:*
History

13 Mar 2026, 15:47

Type Values Removed Values Added
First Time Open-emr openemr
Open-emr
CPE cpe:2.3:a:open-emr:openemr:*:*:*:*:*:*:*:*
References () https://github.com/openemr/openemr/security/advisories/GHSA-9hw7-22mr-qhfc - () https://github.com/openemr/openemr/security/advisories/GHSA-9hw7-22mr-qhfc - Exploit, Vendor Advisory
Summary
  • (es) OpenEMR es una aplicación gratuita y de código abierto de registros médicos electrónicos y gestión de consultorios médicos. Antes de la 8.0.0.1, el endpoint AJAX del selector de códigos dinámico devuelve descripciones de códigos (code_text) que se renderizan en el frontend (p. ej., DataTables) sin escape HTML. Si un administrador (o un usuario con derechos de gestión de códigos) crea o edita un código con una descripción maliciosa que contiene un script, ese script se ejecuta en el navegador de cada usuario que utiliza el selector. Esta vulnerabilidad se ha corregido en la 8.0.0.1.

11 Mar 2026, 21:16

Type Values Removed Values Added
New CVE
Information

Published : 2026-03-11 21:16

Updated : 2026-03-13 15:47

NVD link : CVE-2026-32124

Mitre link : CVE-2026-32124

CVE.ORG link : CVE-2026-32124

JSON object : View

Products Affected

open-emr

  • openemr
CWE
CWE-79

Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')