Monitor vulnerabilities like this one.
Sign up free to get alerted when software you use is affected.
5.4
OpenEMR Track Anything feature allows script injection
CVE-2026-32125
Summary
A security issue in OpenEMR's Track Anything feature allows an attacker to inject malicious code into a medical practice's electronic health records. This could allow the attacker to access sensitive patient information or disrupt the practice's operations. Update to version 8.0.0.1 or later to fix this issue.
What to do
No fix is available yet. Check with your software vendor for updates.
Affected software
| Vendor | Product | Affected versions | Fix available |
|---|---|---|---|
| open-emr | openemr | <= 8.0.0.1 | – |
Original title
OpenEMR is a free and open source electronic health records and medical practice management application. Prior to 8.0.0.1, track/item names from the Track Anything feature are stored from user inpu...
Original description
OpenEMR is a free and open source electronic health records and medical practice management application. Prior to 8.0.0.1, track/item names from the Track Anything feature are stored from user input (POST) and later rendered in Dygraph charts (titles/labels) using innerHTML or equivalent without escaping. A user who can create or edit Track Anything items can inject script that runs when any user views the corresponding graph. This vulnerability is fixed in 8.0.0.1.
nvd CVSS3.1
5.4
Vulnerability type
CWE-79
Cross-site Scripting (XSS)
Published: 11 Mar 2026 · Updated: 13 Mar 2026 · First seen: 11 Mar 2026