CVE-2026-32118
Published: 11 March 2026
Summary
CVE-2026-32118 is a medium-severity Cross-site Scripting (CWE-79) vulnerability in Open-Emr Openemr. Its CVSS base score is 5.4 (Medium).
Operationally, exploitation aligns with the MITRE ATT&CK technique Browser Session Hijacking (T1185); ranked at the 15.4th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog; a public proof-of-concept is referenced.
Threat & Defense at a Glance
Threat & Defense Details
Likely Mitigating ControlsAI
Per-CVE control mapping for this CVE has not run yet; the list below is derived from the weakness types (CWEs) cited in the NVD entry.
Penetration testing submits XSS payloads to web applications, detecting cross-site scripting flaws for subsequent remediation.
Validates web inputs to reject script-related content that could produce XSS.
Output validation against expected content can reject or sanitize script content in generated web pages, reducing XSS exploitability.
MITRE ATT&CK Enterprise TechniquesAI
Why these techniques?
Stored XSS in the clickmap form allows persistent injection of JavaScript that executes in other users' browsers; lack of HttpOnly on session cookies directly enables browser session hijacking (including admin sessions).
NVD Description
OpenEMR is a free and open source electronic health records and medical practice management application. Prior to 8.0.0.1, stored cross-site scripting (XSS) in the Graphical Pain Map ("clickmap") form allows any authenticated clinician to inject arbitrary JavaScript that executes in…
more
the browser of every subsequent user who views the affected encounter form. Because session cookies are not marked HttpOnly, this enables full session hijacking of other users, including administrators. This vulnerability is fixed in 8.0.0.1.
Deeper analysisAI
CVE-2026-32118, published on 2026-03-11, is a stored cross-site scripting (XSS) vulnerability (CWE-79) in OpenEMR, a free and open-source electronic health records and medical practice management application. The issue affects versions prior to 8.0.0.1 and is located in the Graphical Pain Map ("clickmap") form, where user input is not properly sanitized, allowing persistent injection of malicious scripts.
Any authenticated clinician with access to the application can exploit this vulnerability by injecting arbitrary JavaScript into the clickmap form during an encounter. The script executes in the browser of every subsequent user who views the affected encounter form. Because OpenEMR session cookies are not marked HttpOnly, this enables full session hijacking, potentially granting attackers control over other users' sessions, including those of administrators. The CVSS v3.1 base score is 5.4 (AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N).
The vulnerability is addressed in OpenEMR version 8.0.0.1. Additional details on the issue and remediation are available in the GitHub security advisory at https://github.com/openemr/openemr/security/advisories/GHSA-55qj-x8wh-m4rm.
Details
- CWE(s)