CVE-2026-32121
Published: 11 March 2026
Summary
CVE-2026-32121 is a high-severity Cross-site Scripting (CWE-79) vulnerability in Open-Emr Openemr. Its CVSS base score is 7.7 (High).
Operationally, exploitation aligns with the MITRE ATT&CK technique JavaScript (T1059.007); ranked at the 41.3th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog; a public proof-of-concept is referenced.
The strongest mitigations our analysis identified are NIST 800-53 SI-10 (Information Input Validation) and SI-15 (Information Output Filtering).
Threat & Defense at a Glance
Threat & Defense Details
Mitigating Controls (NIST 800-53 r5)AI
Directly prevents XSS execution by filtering or encoding unsanitized patient names during server-side PHP echo and client-side jQuery .html() rendering.
Addresses the root cause by validating and sanitizing patient names prior to storage in the patient_data table, blocking malicious payloads from entry.
Ensures timely remediation by applying the OpenEMR 8.0.0.1 patch that implements independent fixes for both server-side and client-side XSS issues.
MITRE ATT&CK Enterprise TechniquesAI
Why these techniques?
Stored XSS enables arbitrary JavaScript execution (T1059.007) in the clinician's browser context, directly facilitating browser session hijacking via stolen cookies (T1185) and web credential/cookie theft or forgery (T1606.001) as described in the impacts.
NVD Description
OpenEMR is a free and open source electronic health records and medical practice management application. Prior to 8.0.0.1, Stored XSS in prescription CSS/HTML print view via patient demographics. That finding involves server-side rendering of patient names via raw PHP echo.…
more
This finding involves client-side DOM-based rendering via jQuery .html() in a completely different component (portal/sign/assets/signer_api.js). The two share the same root cause (unsanitized patient names in patient_data), but they have different sinks, different affected components, different trigger actions, and require independent fixes. This vulnerability is fixed in 8.0.0.1.
Deeper analysisAI
CVE-2026-32121 is a stored cross-site scripting (XSS) vulnerability affecting OpenEMR, a free and open-source electronic health records and medical practice management application, in versions prior to 8.0.0.1. The issue arises from unsanitized patient names stored in the patient_data table, enabling server-side rendering of malicious content via raw PHP echo in the prescription CSS/HTML print view. A related but distinct client-side DOM-based XSS occurs via jQuery .html() in the portal/sign/assets/signer_api.js component. These share the same root cause but involve different sinks, affected components, trigger actions, and fixes.
The vulnerability has a CVSS v3.1 base score of 7.7 (AV:N/AC:H/PR:L/UI:R/S:C/C:H/I:H/A:N), indicating exploitation over the network by an attacker with low privileges, such as an authenticated user like a patient or staff member capable of modifying demographics. High attack complexity and required user interaction mean the attacker must craft a payload in a patient name, which a victim (e.g., a clinician printing prescriptions or using the signer API) then triggers by viewing the affected content. Successful exploitation allows high confidentiality and integrity impacts with changed scope, potentially enabling theft of session cookies, data exfiltration, or unauthorized modifications within the victim's browser context.
The vulnerability is addressed in OpenEMR 8.0.0.1, which implements independent fixes for the server-side and client-side issues. Additional mitigation details are available in the GitHub Security Advisory at https://github.com/openemr/openemr/security/advisories/GHSA-68fr-xm3v-p4vw.
Details
- CWE(s)