CVE-2025-30161
Published: 31 March 2025
Summary
CVE-2025-30161 is a high-severity Basic XSS (CWE-80) vulnerability in Open-Emr Openemr. Its CVSS base score is 8.4 (High).
Operationally, ranked in the top 8.4% of CVEs by exploit likelihood; it is not currently listed in the CISA KEV catalog; a public proof-of-concept is referenced.
Deeper analysis
OpenEMR is a free and open source electronic health records and medical practice management application. CVE-2025-30161 is a stored cross-site scripting vulnerability (CWE-80) in the Bronchitis form component that permits an authenticated user with form-editing rights to inject persistent scripts. The flaw resides in the view.php handling of bronchitis form data and carries a CVSS 4.0 score of 8.4.
An attacker able to edit a bronchitis form can store malicious JavaScript that executes in the browser of any administrator who later views the record, enabling theft of administrator credentials and subsequent account takeover. No special network position or user interaction beyond normal form viewing is required once the payload is persisted.
The vulnerability is fixed in OpenEMR 7.0.3, as stated in the project’s GitHub Security Advisory GHSA-59rv-645x-rg6p and the corresponding code changes that neutralize the unsanitized output.
The EPSS probability rose from a low baseline to a peak of 0.1372 on 2026-05-12 before receding to the current value of 0.0688, indicating that exploitation interest emerged after public disclosure.
EU & UK References
- 🇪🇺 ENISA EUVD: EUVD-2025-8840
Vulnerability details
OpenEMR is a free and open source electronic health records and medical practice management application. A stored XSS vulnerability in the Bronchitis form component of OpenEMR allows anyone who is able to edit a bronchitis form to steal credentials from…
more
administrators. This vulnerability is fixed in 7.0.3.
- CWE(s)
Related Threats
No named actor attribution yet. ATT&CK technique mapping in progress for this CVE.
Affected Assets
Mitigating Controls
No mitigating controls mapped yet. The per-CVE control annotator has not reached this CVE.