CVE-2025-69231
Published: 25 February 2026
Summary
CVE-2025-69231 is a high-severity Cross-site Scripting (CWE-79) vulnerability in Open-Emr Openemr. Its CVSS base score is 8.7 (High).
Operationally, exploitation aligns with the MITRE ATT&CK technique Exploit Public-Facing Application (T1190); ranked at the 14.5th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog; a public proof-of-concept is referenced.
The strongest mitigations our analysis identified are NIST 800-53 SI-10 (Information Input Validation) and SI-15 (Information Output Filtering).
Threat & Defense at a Glance
Threat & Defense Details
Mitigating Controls (NIST 800-53 r5)AI
Filters output from the GAD-7 form to prevent execution of injected JavaScript in viewers' browsers, directly mitigating stored XSS.
Validates clinician inputs to the GAD-7 form to block malicious JavaScript from being stored, preventing the root cause of the stored XSS vulnerability.
Remediates the specific stored XSS flaw in OpenEMR versions prior to 8.0.0 by applying the vendor-released patch.
MITRE ATT&CK Enterprise TechniquesAI
Why these techniques?
Stored XSS in public-facing web app (OpenEMR) enables exploitation of remote services (T1190) and facilitates stealing web session cookies via injected JavaScript for session hijacking and account takeover (T1539).
NVD Description
OpenEMR is a free and open source electronic health records and medical practice management application. Prior to version 8.0.0, a stored cross-site scripting vulnerability in the GAD-7 anxiety assessment form allows authenticated users with clinician privileges to inject malicious JavaScript…
more
that executes when other users view the form. This enables session hijacking, account takeover, and privilege escalation from clinician to administrator. Version 8.0.0 fixes the issue.
Deeper analysisAI
CVE-2025-69231 is a stored cross-site scripting (XSS) vulnerability, mapped to CWE-79, in OpenEMR, a free and open-source electronic health records and medical practice management application. The issue resides in the GAD-7 anxiety assessment form and affects versions prior to 8.0.0. It carries a CVSS v3.1 base score of 8.7 (AV:N/AC:L/PR:L/UI:R/S:C/C:H/I:H/A:N) and was published on 2026-02-25.
Authenticated users with clinician privileges can exploit the vulnerability by injecting malicious JavaScript into the GAD-7 form. When other users view the form, the injected script executes in their browsers, enabling session hijacking, account takeover, and privilege escalation from clinician to administrator.
OpenEMR version 8.0.0 resolves the vulnerability. Additional mitigation details are available in the GitHub security advisory at https://github.com/openemr/openemr/security/advisories/GHSA-mf62-q2xc-hxm3 and the fixing commit at https://github.com/openemr/openemr/commit/5f20b756441fc9868f43410a9ef97536c38b2ba6.
Details
- CWE(s)