Monitor vulnerabilities like this one.
Sign up free to get alerted when software you use is affected.
1.2
OpenEMR Unescaped Strings Expose Medical Practice to Malicious Code Injection
CVE-2026-21443
Summary
OpenEMR's unescaped strings in translation output could allow an attacker to inject malicious code into a medical practice's website. This could lead to unauthorized access to sensitive patient information. To protect your practice, upgrade to version 8.0.0 or later.
What to do
No fix is available yet. Check with your software vendor for updates.
Affected software
| Vendor | Product | Affected versions | Fix available |
|---|---|---|---|
| open-emr | openemr | <= 8.0.0 | – |
Original title
OpenEMR is a free and open source electronic health records and medical practice management application. Prior to version 8.0.0, the `xl()` translation function returns unescaped strings. While wra...
Original description
OpenEMR is a free and open source electronic health records and medical practice management application. Prior to version 8.0.0, the `xl()` translation function returns unescaped strings. While wrapper functions exist for escaping in different contexts (`xlt()` for HTML, `xla()` for attributes, `xlj()` for JavaScript), there are places in the codebase where `xl()` output is used directly without escaping. If an attacker could insert malicious content into the translation database, these unescaped outputs could lead to XSS. Version 8.0.0 fixes the issue.
nvd CVSS3.1
6.1
nvd CVSS4.0
1.2
Vulnerability type
CWE-116
Published: 25 Feb 2026 · Updated: 12 Mar 2026 · First seen: 6 Mar 2026