CVE-2026-32118
Published: 11 March 2026
Summary
CVE-2026-32118 is a medium-severity Cross-site Scripting (CWE-79) vulnerability in Open-Emr Openemr. Its CVSS base score is 5.4 (Medium).
Operationally, exploitation aligns with the MITRE ATT&CK technique Browser Session Hijacking (T1185); ranked at the 19.7th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog; a public proof-of-concept is referenced.
The strongest mitigations our analysis identified are NIST 800-53 SI-10 (Information Input Validation) and SI-15 (Information Output Filtering).
Deeper analysis
CVE-2026-32118, published on 2026-03-11, is a stored cross-site scripting (XSS) vulnerability (CWE-79) in OpenEMR, a free and open-source electronic health records and medical practice management application. The issue affects versions prior to 8.0.0.1 and is located in the Graphical Pain Map ("clickmap") form, where user input is not properly sanitized, allowing persistent injection of malicious scripts.
Any authenticated clinician with access to the application can exploit this vulnerability by injecting arbitrary JavaScript into the clickmap form during an encounter. The script executes in the browser of every subsequent user who views the affected encounter form. Because OpenEMR session cookies are not marked HttpOnly, this enables full session hijacking, potentially granting attackers control over other users' sessions, including those of administrators. The CVSS v3.1 base score is 5.4 (AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N).
The vulnerability is addressed in OpenEMR version 8.0.0.1. Additional details on the issue and remediation are available in the GitHub security advisory at https://github.com/openemr/openemr/security/advisories/GHSA-55qj-x8wh-m4rm.
OWASP Top 10 for Web (2025)
EU & UK References
- 🇪🇺 ENISA EUVD: EUVD-2026-11387
Vulnerability details
OpenEMR is a free and open source electronic health records and medical practice management application. Prior to 8.0.0.1, stored cross-site scripting (XSS) in the Graphical Pain Map ("clickmap") form allows any authenticated clinician to inject arbitrary JavaScript that executes in…
more
the browser of every subsequent user who views the affected encounter form. Because session cookies are not marked HttpOnly, this enables full session hijacking of other users, including administrators. This vulnerability is fixed in 8.0.0.1.
- CWE(s)
Related Threats
MITRE ATT&CK Enterprise TechniquesAI
Why these techniques?
Stored XSS in the clickmap form allows persistent injection of JavaScript that executes in other users' browsers; lack of HttpOnly on session cookies directly enables browser session hijacking (including admin sessions).
CVEs Like This One
Affected Assets
Mitigating Controls
Mitigating Controls (NIST 800-53 r5) AI
Directly requires validation and sanitization of all user-supplied input to the clickmap form, blocking the stored XSS payload before it is persisted.
Mandates output filtering/encoding of data rendered from the encounter form, neutralizing any malicious script before it executes in other users' browsers.
Requires protection of session authenticity, which includes configuring cookies with the HttpOnly flag to prevent JavaScript access and subsequent session hijacking.