CVE-2026-32125

  1. OpenCVE
  2. Vulnerabilities (CVE)
  3. CVE-2026-32125
OpenEMR is a free and open source electronic health records and medical practice management application. Prior to 8.0.0.1, track/item names from the Track Anything feature are stored from user input (POST) and later rendered in Dygraph charts (titles/labels) using innerHTML or equivalent without escaping. A user who can create or edit Track Anything items can inject script that runs when any user views the corresponding graph. This vulnerability is fixed in 8.0.0.1.

5.4 /10

CVSS v3 : MEDIUM

V3 Legend

Vector :

Exploitability : 2.3 / Impact : 2.7

Attack Vector NETWORK

Attack Complexity LOW

Privileges Required LOW

User Interaction REQUIRED

Confidentiality Impact LOW

Integrity Impact LOW

Availability Impact NONE

Scope CHANGED

References
Link Resource
https://github.com/openemr/openemr/security/advisories/GHSA-244w-vxhp-7x99 Exploit Vendor Advisory
Configurations

Configuration 1 (hide)

cpe:2.3:a:open-emr:openemr:*:*:*:*:*:*:*:*
History

13 Mar 2026, 15:47

Type Values Removed Values Added
CPE cpe:2.3:a:open-emr:openemr:*:*:*:*:*:*:*:*
First Time Open-emr openemr
Open-emr
References () https://github.com/openemr/openemr/security/advisories/GHSA-244w-vxhp-7x99 - () https://github.com/openemr/openemr/security/advisories/GHSA-244w-vxhp-7x99 - Exploit, Vendor Advisory
Summary
  • (es) OpenEMR es una aplicación gratuita y de código abierto para la gestión de registros médicos electrónicos y la práctica médica. Previo a la versión 8.0.0.1, los nombres de pistas/elementos de la función 'Track Anything' se almacenan a partir de la entrada del usuario (POST) y luego se renderizan en gráficos Dygraph (títulos/etiquetas) utilizando innerHTML o equivalente sin escape. Un usuario que puede crear o editar elementos de 'Track Anything' puede inyectar scripts que se ejecutan cuando cualquier usuario ve el gráfico correspondiente. Esta vulnerabilidad se corrige en la versión 8.0.0.1.

11 Mar 2026, 21:16

Type Values Removed Values Added
New CVE
Information

Published : 2026-03-11 21:16

Updated : 2026-03-13 15:47

NVD link : CVE-2026-32125

Mitre link : CVE-2026-32125

CVE.ORG link : CVE-2026-32125

JSON object : View

Products Affected

open-emr

  • openemr
CWE
CWE-79

Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')