OpenEMR: Stored XSS in Track Anything Graphs via Unescaped Dygraph Titles/Labels

Monitor vulnerabilities like this one. Sign up free to get alerted when software you use is affected.

5.4

OpenEMR: Stored XSS in Track Anything Graphs via Unescaped Dygraph Titles/Labels

CVE-2026-32125 GHSA-244w-vxhp-7x99

Summary

Original title

OpenEMR: Stored XSS in Track Anything Graphs via Unescaped Dygraph Titles/Labels

Original description

OpenEMR is a free and open source electronic health records and medical practice management application. Prior to 8.0.0.1, track/item names from the Track Anything feature are stored from user input (POST) and later rendered in Dygraph charts (titles/labels) using innerHTML or equivalent without escaping. A user who can create or edit Track Anything items can inject script that runs when any user views the corresponding graph. This vulnerability is fixed in 8.0.0.1.

osv CVSS3.1 5.4

Vulnerability type

CWE-79 Cross-site Scripting (XSS)

https://github.com/CVEProject/cvelistV5/tree/main/cves/2026/32xxx/CVE-2026-32125... Vendor Advisory
https://github.com/openemr/openemr/security/advisories/GHSA-244w-vxhp-7x99 Vendor Advisory
https://nvd.nist.gov/vuln/detail/CVE-2026-32125 Vendor Advisory

Published: 11 Mar 2026 · Updated: 14 Mar 2026 · First seen: 14 Mar 2026