anonhaven
Ad

CVE-2026-25743

HIGH CVSS 4.0: 7.2 EPSS 0.43%
Updated Feb 25, 2026
Openemr
Parameter Value
CVSS 7.2 (HIGH)
Type CWE-79 (Cross-Site Scripting (XSS))
Vendor Openemr
Public PoC No

OpenEMR is a free and open source electronic health records and medical practice management application. Prior to version 8.0.0, users with the "Forms administration" role can fill questionnaires ("forms") in patient encounters. The answers to the forms are displayed on the encounter page and in the visit history for the users with the same role.

There exists a stored cross-site scripting (XSS) vulnerability in the function to display the form answers, allowing any authenticated attacker with the specific role to insert arbitrary JavaScript into the system by entering malicious payloads to the form answers. The JavaScript code is later executed by any user with the form role when viewing the form answers in the patient encounter pages or visit history. Version 8.0.0 fixes the issue.

Attack Parameters

Attack Vector
Network
Can be exploited remotely
Attack Complexity
High
Difficult to exploit
Attack Requirements
None
No additional conditions
Privileges Required
High
Admin privileges needed
User Interaction
Passive
Minimal interaction

Impact Assessment

Confidentiality
High
Complete data leak
Integrity
High
Complete data modification
Availability
None
No disruption

CVSS Vector v4.0

Weakness Type (CWE)

CWE-79 Cross-Site Scripting (XSS)

References 2

https://github.com/openemr/openemr/commit/da18f83f39648edc2463e8810757380a9f1d9…
security-advisories@github.com
https://github.com/openemr/openemr/security/advisories/GHSA-3xx2-qf6g-6p28
security-advisories@github.com
Share Post Share Share Share

Related Vulnerabilities

CVE-2026-33910

Open-Emr

8.8

CVE-2026-33909

Open-Emr

5.9

CVE-2026-33348

Open-Emr

5.4

CVE-2026-33321

Openemr

7.2

CVE-2026-33305

Openemr

5.4