CVE-2026-32121
📋 TL;DR
This stored cross-site scripting (XSS) vulnerability in OpenEMR allows attackers to inject malicious scripts into patient records that execute when healthcare providers view prescription print views or portal signer components. The vulnerability affects all OpenEMR installations prior to version 8.0.0.1 where patient names aren't properly sanitized before rendering in both server-side PHP and client-side JavaScript contexts.
💻 Affected Systems
- OpenEMR
⚠️ Manual Verification Required
This CVE does not have specific version information in our database, so automatic vulnerability detection cannot determine if your system is affected.
Why? The CVE database entry doesn't specify which versions are vulnerable (no version ranges provided by the vendor/NVD).
🔒 Custom verification scripts are available for registered users. Sign up free to download automated test scripts.
- Review the CVE details at NVD
- Check vendor security advisories for your specific version
- Test if the vulnerability is exploitable in your environment
- Consider updating to the latest version as a precaution
⚠️ Risk & Real-World Impact
Worst Case
Attackers could steal healthcare provider session cookies, perform actions as authenticated users, redirect to malicious sites, or compromise patient data confidentiality and integrity.
Likely Case
Attackers with patient record access could inject scripts that steal session tokens when healthcare providers view affected pages, leading to account takeover and unauthorized access to medical records.
If Mitigated
With proper input validation and output encoding, malicious scripts would be rendered harmless as text rather than executable code.
🎯 Exploit Status
Requires ability to modify patient data (typically authenticated access), but exploitation is straightforward once patient names contain malicious scripts.
🛠️ Fix & Mitigation
✅ Official Fix
Patch Version: 8.0.0.1
Vendor Advisory: https://github.com/openemr/openemr/security/advisories/GHSA-68fr-xm3v-p4vw
Restart Required: No
Instructions:
1. Backup your OpenEMR installation and database. 2. Download OpenEMR 8.0.0.1 or later from the official repository. 3. Replace affected files or perform a complete upgrade following OpenEMR upgrade documentation. 4. Verify the fix by checking that patient names are properly sanitized in both prescription print views and portal signer components.
🔧 Temporary Workarounds
Input Validation for Patient Names
allImplement server-side validation to sanitize patient names before storage, removing or encoding HTML/JavaScript special characters.
Output Encoding in Affected Components
allModify prescription CSS/HTML print view and portal/sign/assets/signer_api.js to use safe output methods like .text() instead of .html() for jQuery and htmlspecialchars() for PHP.
🧯 If You Can't Patch
- Implement web application firewall (WAF) rules to detect and block XSS payloads in patient data submissions.
- Restrict access to patient demographic editing functions to only trusted administrative users.
🔍 How to Verify
Check if Vulnerable:
Check if your OpenEMR version is below 8.0.0.1 and test if patient names containing script tags (e.g., <script>alert('test')</script>) execute when viewing prescription print views or portal signer pages.Check Version:
Check OpenEMR version in the admin interface or examine the version.php file in the installation directory.Verify Fix Applied:
After patching, test with malicious patient names to confirm scripts don't execute. Verify both server-side PHP rendering and client-side jQuery rendering properly encode output.📡 Detection & Monitoring
Log Indicators:
- Unusual patient name modifications containing script tags or JavaScript code
- Multiple failed attempts to access prescription print views
Network Indicators:
- Unexpected outbound connections from healthcare provider workstations after viewing patient records
SIEM Query:
source="openemr_logs" AND (patient_name="*<script>*" OR patient_name="*javascript:*")