Monitor vulnerabilities like this one.
Sign up free to get alerted when software you use is affected.
8.5
OpenEMR: Stored XSS in Billing Interface Allows Session Cookie Theft
CVE-2025-67491
Summary
OpenEMR's billing interface in versions 5.0.0.5 to 7.0.3.4 has a security flaw that lets malicious users steal the login cookies of other users, potentially allowing them to access sensitive patient information. This affects OpenEMR users who don't update to version 7.0.4 or later. Update to the latest version to fix the issue.
What to do
No fix is available yet. Check with your software vendor for updates.
Affected software
| Vendor | Product | Affected versions | Fix available |
|---|---|---|---|
| open-emr | openemr | > 5.0.0.5 , <= 7.0.4 | – |
Original title
OpenEMR is a free and open source electronic health records and medical practice management application. Versions 5.0.0.5 through 7.0.3.4 have a stored cross-site scripting vulnerability in the ub0...
Original description
OpenEMR is a free and open source electronic health records and medical practice management application. Versions 5.0.0.5 through 7.0.3.4 have a stored cross-site scripting vulnerability in the ub04 helper of the billing interface. The variable `$data` is passed in a click event handler enclosed in single quotes without proper sanitization. Thus, despite `json_encode` a malicious user can still inject a payload such as ` ac' ><img src=x onerror=alert(document.cookie)> ` to trigger the bug. This vulnerability allows low privileged users to embed malicious JS payloads on the server and perform stored XSS attack. This, in turn makes it possible for malicious users to steal the session cookies and perform unauthorized actions impersonating administrators. Version 7.0.4 patches the issue.
nvd CVSS3.1
5.4
nvd CVSS4.0
8.5
Vulnerability type
CWE-79
Cross-site Scripting (XSS)
Published: 25 Feb 2026 · Updated: 12 Mar 2026 · First seen: 6 Mar 2026