OpenEMR: Dynamic Code Picker Renders Unescaped Descriptions (Stored XSS)

Monitor vulnerabilities like this one. Sign up free to get alerted when software you use is affected.

5.4

OpenEMR: Dynamic Code Picker Renders Unescaped Descriptions (Stored XSS)

CVE-2026-32124 GHSA-9hw7-22mr-qhfc

Summary

Original title

OpenEMR: Dynamic Code Picker Renders Unescaped Descriptions (Stored XSS)

Original description

OpenEMR is a free and open source electronic health records and medical practice management application. Prior to 8.0.0.1, the dynamic code picker AJAX endpoint returns code descriptions (code_text) that are rendered in the front end (e.g. DataTables) without HTML escaping. If an administrator (or user with code management rights) creates or edits a code with a malicious description containing script, that script runs in the browser of every user who uses the picker. This vulnerability is fixed in 8.0.0.1.

osv CVSS3.1 5.4

Vulnerability type

CWE-79 Cross-site Scripting (XSS)

https://github.com/CVEProject/cvelistV5/tree/main/cves/2026/32xxx/CVE-2026-32124... Vendor Advisory
https://github.com/openemr/openemr/security/advisories/GHSA-9hw7-22mr-qhfc Vendor Advisory
https://nvd.nist.gov/vuln/detail/CVE-2026-32124 Vendor Advisory

Published: 11 Mar 2026 · Updated: 14 Mar 2026 · First seen: 14 Mar 2026