Monitor vulnerabilities like this one.
Sign up free to get alerted when software you use is affected.
5.4
OpenEMR older versions allow malicious scripts to run on patient forms
CVE-2025-69231
Summary
Older versions of OpenEMR's patient forms, used by clinicians, can be manipulated by malicious users, potentially allowing them to steal sessions, take control of accounts, and gain administrator privileges. This can happen when a clinician or administrator views the form. Update to version 8.0.0 or later to fix this issue.
What to do
No fix is available yet. Check with your software vendor for updates.
Affected software
| Vendor | Product | Affected versions | Fix available |
|---|---|---|---|
| open-emr | openemr | <= 8.0.0 | – |
Original title
OpenEMR is a free and open source electronic health records and medical practice management application. Prior to version 8.0.0, a stored cross-site scripting vulnerability in the GAD-7 anxiety ass...
Original description
OpenEMR is a free and open source electronic health records and medical practice management application. Prior to version 8.0.0, a stored cross-site scripting vulnerability in the GAD-7 anxiety assessment form allows authenticated users with clinician privileges to inject malicious JavaScript that executes when other users view the form. This enables session hijacking, account takeover, and privilege escalation from clinician to administrator. Version 8.0.0 fixes the issue.
nvd CVSS3.1
5.4
Vulnerability type
CWE-79
Cross-site Scripting (XSS)
Published: 25 Feb 2026 · Updated: 12 Mar 2026 · First seen: 6 Mar 2026