Monitor vulnerabilities like this one.
Sign up free to get alerted when software you use is affected.
9.0
OpenEMR Graphical Pain Map allows attackers to hijack user sessions
CVE-2026-32118
Summary
A critical issue in OpenEMR's Graphical Pain Map allows an authorized clinician to steal other users' sessions, potentially giving them access to sensitive patient information. This is fixed in version 8.0.0.1. Update to the latest version to protect your practice.
What to do
No fix is available yet. Check with your software vendor for updates.
Affected software
| Vendor | Product | Affected versions | Fix available |
|---|---|---|---|
| open-emr | openemr | <= 8.0.0.1 | – |
Original title
OpenEMR is a free and open source electronic health records and medical practice management application. Prior to 8.0.0.1, stored cross-site scripting (XSS) in the Graphical Pain Map ("clickmap") f...
Original description
OpenEMR is a free and open source electronic health records and medical practice management application. Prior to 8.0.0.1, stored cross-site scripting (XSS) in the Graphical Pain Map ("clickmap") form allows any authenticated clinician to inject arbitrary JavaScript that executes in the browser of every subsequent user who views the affected encounter form. Because session cookies are not marked HttpOnly, this enables full session hijacking of other users, including administrators. This vulnerability is fixed in 8.0.0.1.
nvd CVSS3.1
5.4
Vulnerability type
CWE-79
Cross-site Scripting (XSS)
Published: 11 Mar 2026 · Updated: 13 Mar 2026 · First seen: 11 Mar 2026