Cyber Resilience

CVE-2026-32118

MediumPublic PoC

Published: 11 March 2026

Published
11 March 2026
Modified
13 March 2026
KEV Added
Patch
CVSS Score v3.1 5.4 CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N
EPSS Score 0.0028 19.7th percentile
Risk Priority 35 floored blend · peak EPSS

Summary

CVE-2026-32118 is a medium-severity Cross-site Scripting (CWE-79) vulnerability in Open-Emr Openemr. Its CVSS base score is 5.4 (Medium).

Operationally, exploitation aligns with the MITRE ATT&CK technique Browser Session Hijacking (T1185); ranked at the 19.7th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog; a public proof-of-concept is referenced.

The strongest mitigations our analysis identified are NIST 800-53 SI-10 (Information Input Validation) and SI-15 (Information Output Filtering).

Deeper analysis

CVE-2026-32118, published on 2026-03-11, is a stored cross-site scripting (XSS) vulnerability (CWE-79) in OpenEMR, a free and open-source electronic health records and medical practice management application. The issue affects versions prior to 8.0.0.1 and is located in the Graphical Pain Map ("clickmap") form, where user input is not properly sanitized, allowing persistent injection of malicious scripts.

Any authenticated clinician with access to the application can exploit this vulnerability by injecting arbitrary JavaScript into the clickmap form during an encounter. The script executes in the browser of every subsequent user who views the affected encounter form. Because OpenEMR session cookies are not marked HttpOnly, this enables full session hijacking, potentially granting attackers control over other users' sessions, including those of administrators. The CVSS v3.1 base score is 5.4 (AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N).

The vulnerability is addressed in OpenEMR version 8.0.0.1. Additional details on the issue and remediation are available in the GitHub security advisory at https://github.com/openemr/openemr/security/advisories/GHSA-55qj-x8wh-m4rm.

OWASP Top 10 for Web (2025)

EU & UK References

Vulnerability details

OpenEMR is a free and open source electronic health records and medical practice management application. Prior to 8.0.0.1, stored cross-site scripting (XSS) in the Graphical Pain Map ("clickmap") form allows any authenticated clinician to inject arbitrary JavaScript that executes in…

more

the browser of every subsequent user who views the affected encounter form. Because session cookies are not marked HttpOnly, this enables full session hijacking of other users, including administrators. This vulnerability is fixed in 8.0.0.1.

CWE(s)

Related Threats

MITRE ATT&CK Enterprise TechniquesAI

T1185 Browser Session Hijacking Collection
Adversaries may take advantage of security vulnerabilities and inherent functionality in browser software to change content, modify user-behaviors, and intercept information as part of various browser session hijacking techniques.
Why these techniques?

Stored XSS in the clickmap form allows persistent injection of JavaScript that executes in other users' browsers; lack of HttpOnly on session cookies directly enables browser session hijacking (including admin sessions).

Confidence: HIGH · MITRE ATT&CK Enterprise v19.0

CVEs Like This One

CVE-2026-32121Same product: Open-Emr Openemr
CVE-2026-33932Same product: Open-Emr Openemr
CVE-2026-33346Same product: Open-Emr Openemr
CVE-2026-33348Same product: Open-Emr Openemr
CVE-2025-69231Same product: Open-Emr Openemr
CVE-2026-33299Same product: Open-Emr Openemr
CVE-2026-25927Same product: Open-Emr Openemr
CVE-2026-33918Same product: Open-Emr Openemr
CVE-2025-29789Same product: Open-Emr Openemr
CVE-2025-67752Same product: Open-Emr Openemr

Affected Assets

open-emr
openemr
≤ 8.0.0.1

Mitigating Controls

Mitigating Controls (NIST 800-53 r5) AI

prevent

Directly requires validation and sanitization of all user-supplied input to the clickmap form, blocking the stored XSS payload before it is persisted.

prevent

Mandates output filtering/encoding of data rendered from the encounter form, neutralizing any malicious script before it executes in other users' browsers.

prevent

Requires protection of session authenticity, which includes configuring cookies with the HttpOnly flag to prevent JavaScript access and subsequent session hijacking.

References