{"dataType": "CVE_RECORD", "dataVersion": "5.2", "cveMetadata": {"cveId": "CVE-2026-32119", "assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "state": "PUBLISHED", "assignerShortName": "GitHub_M", "dateReserved": "2026-03-10T22:19:36.544Z", "datePublished": "2026-03-19T19:41:47.881Z", "dateUpdated": "2026-03-19T20:39:26.670Z"}, "containers": {"cna": {"title": "OpenEMR has Stored DOM XSS via SearchHighlight text-node reconstruction on Custom Report page", "problemTypes": [{"descriptions": [{"cweId": "CWE-79", "lang": "en", "description": "CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')", "type": "CWE"}]}], "metrics": [{"cvssV3_1": {"attackComplexity": "HIGH", "attackVector": "NETWORK", "availabilityImpact": "NONE", "baseScore": 4.4, "baseSeverity": "MEDIUM", "confidentialityImpact": "LOW", "integrityImpact": "LOW", "privilegesRequired": "LOW", "scope": "CHANGED", "userInteraction": "REQUIRED", "vectorString": "CVSS:3.1/AV:N/AC:H/PR:L/UI:R/S:C/C:L/I:L/A:N", "version": "3.1"}}], "references": [{"name": "https://github.com/openemr/openemr/security/advisories/GHSA-q283-5j7f-r6hp", "tags": ["x_refsource_CONFIRM"], "url": "https://github.com/openemr/openemr/security/advisories/GHSA-q283-5j7f-r6hp"}, {"name": "https://github.com/openemr/openemr/commit/70a41122c6d75ebcd219ba2a2535e93a6c188151", "tags": ["x_refsource_MISC"], "url": "https://github.com/openemr/openemr/commit/70a41122c6d75ebcd219ba2a2535e93a6c188151"}], "affected": [{"vendor": "openemr", "product": "openemr", "versions": [{"version": "< 8.0.0.2", "status": "affected"}]}], "providerMetadata": {"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "shortName": "GitHub_M", "dateUpdated": "2026-03-19T19:41:47.881Z"}, "descriptions": [{"lang": "en", "value": "OpenEMR is a free and open source electronic health records and medical practice management application. Prior to 8.0.0.2, DOM-based stored XSS in the jQuery SearchHighlight plugin (`library/js/SearchHighlight.js`) allows an authenticated user with encounter form write access to inject arbitrary JavaScript that executes in another clinician's browser session when they use the search/find feature on the Custom Report page. The plugin reverses server-side HTML entity encoding by reading decoded text from DOM text nodes, concatenating it into a raw HTML string, and passing it to jQuery's `$()` constructor for HTML parsing. Version 8.0.0.2 fixes the issue."}], "source": {"advisory": "GHSA-q283-5j7f-r6hp", "discovery": "UNKNOWN"}}, "adp": [{"references": [{"url": "https://github.com/openemr/openemr/security/advisories/GHSA-q283-5j7f-r6hp", "tags": ["exploit"]}], "metrics": [{"other": {"type": "ssvc", "content": {"timestamp": "2026-03-19T20:39:22.528820Z", "id": "CVE-2026-32119", "options": [{"Exploitation": "poc"}, {"Automatable": "no"}, {"Technical Impact": "partial"}], "role": "CISA Coordinator", "version": "2.0.3"}}}], "title": "CISA ADP Vulnrichment", "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2026-03-19T20:39:26.670Z"}}]}}

{"dataType": "CVE_RECORD", "containers": {"adp": [{"title": "CISA ADP Vulnrichment", "metrics": [{"other": {"type": "ssvc", "content": {"id": "CVE-2026-32119", "role": "CISA Coordinator", "options": [{"Exploitation": "poc"}, {"Automatable": "no"}, {"Technical Impact": "partial"}], "version": "2.0.3", "timestamp": "2026-03-19T20:39:22.528820Z"}}}], "references": [{"url": "https://github.com/openemr/openemr/security/advisories/GHSA-q283-5j7f-r6hp", "tags": ["exploit"]}], "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2026-03-19T20:39:17.940Z"}}], "cna": {"title": "OpenEMR has Stored DOM XSS via SearchHighlight text-node reconstruction on Custom Report page", "source": {"advisory": "GHSA-q283-5j7f-r6hp", "discovery": "UNKNOWN"}, "metrics": [{"cvssV3_1": {"scope": "CHANGED", "version": "3.1", "baseScore": 4.4, "attackVector": "NETWORK", "baseSeverity": "MEDIUM", "vectorString": "CVSS:3.1/AV:N/AC:H/PR:L/UI:R/S:C/C:L/I:L/A:N", "integrityImpact": "LOW", "userInteraction": "REQUIRED", "attackComplexity": "HIGH", "availabilityImpact": "NONE", "privilegesRequired": "LOW", "confidentialityImpact": "LOW"}}], "affected": [{"vendor": "openemr", "product": "openemr", "versions": [{"status": "affected", "version": "< 8.0.0.2"}]}], "references": [{"url": "https://github.com/openemr/openemr/security/advisories/GHSA-q283-5j7f-r6hp", "name": "https://github.com/openemr/openemr/security/advisories/GHSA-q283-5j7f-r6hp", "tags": ["x_refsource_CONFIRM"]}, {"url": "https://github.com/openemr/openemr/commit/70a41122c6d75ebcd219ba2a2535e93a6c188151", "name": "https://github.com/openemr/openemr/commit/70a41122c6d75ebcd219ba2a2535e93a6c188151", "tags": ["x_refsource_MISC"]}], "descriptions": [{"lang": "en", "value": "OpenEMR is a free and open source electronic health records and medical practice management application. Prior to 8.0.0.2, DOM-based stored XSS in the jQuery SearchHighlight plugin (`library/js/SearchHighlight.js`) allows an authenticated user with encounter form write access to inject arbitrary JavaScript that executes in another clinician's browser session when they use the search/find feature on the Custom Report page. The plugin reverses server-side HTML entity encoding by reading decoded text from DOM text nodes, concatenating it into a raw HTML string, and passing it to jQuery's `$()` constructor for HTML parsing. Version 8.0.0.2 fixes the issue."}], "problemTypes": [{"descriptions": [{"lang": "en", "type": "CWE", "cweId": "CWE-79", "description": "CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')"}]}], "providerMetadata": {"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "shortName": "GitHub_M", "dateUpdated": "2026-03-19T19:41:47.881Z"}}}, "cveMetadata": {"cveId": "CVE-2026-32119", "state": "PUBLISHED", "dateUpdated": "2026-03-19T20:39:26.670Z", "dateReserved": "2026-03-10T22:19:36.544Z", "assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "datePublished": "2026-03-19T19:41:47.881Z", "assignerShortName": "GitHub_M"}, "dataVersion": "5.2"}

{"configurations": [{"nodes": [{"cpeMatch": [{"criteria": "cpe:2.3:a:open-emr:openemr:*:*:*:*:*:*:*:*", "matchCriteriaId": "C78F19AD-BD18-4F61-8B1C-DD099DBC6D34", "versionEndExcluding": "8.0.0.2", "vulnerable": true}], "negate": false, "operator": "OR"}]}], "cveTags": [], "descriptions": [{"lang": "en", "value": "OpenEMR is a free and open source electronic health records and medical practice management application. Prior to 8.0.0.2, DOM-based stored XSS in the jQuery SearchHighlight plugin (`library/js/SearchHighlight.js`) allows an authenticated user with encounter form write access to inject arbitrary JavaScript that executes in another clinician's browser session when they use the search/find feature on the Custom Report page. The plugin reverses server-side HTML entity encoding by reading decoded text from DOM text nodes, concatenating it into a raw HTML string, and passing it to jQuery's `$()` constructor for HTML parsing. Version 8.0.0.2 fixes the issue."}], "id": "CVE-2026-32119", "lastModified": "2026-03-20T16:20:15.460", "metrics": {"cvssMetricV31": [{"cvssData": {"attackComplexity": "HIGH", "attackVector": "NETWORK", "availabilityImpact": "NONE", "baseScore": 4.4, "baseSeverity": "MEDIUM", "confidentialityImpact": "LOW", "integrityImpact": "LOW", "privilegesRequired": "LOW", "scope": "CHANGED", "userInteraction": "REQUIRED", "vectorString": "CVSS:3.1/AV:N/AC:H/PR:L/UI:R/S:C/C:L/I:L/A:N", "version": "3.1"}, "exploitabilityScore": 1.3, "impactScore": 2.7, "source": "security-advisories@github.com", "type": "Secondary"}]}, "published": "2026-03-19T20:16:13.900", "references": [{"source": "security-advisories@github.com", "tags": ["Patch"], "url": "https://github.com/openemr/openemr/commit/70a41122c6d75ebcd219ba2a2535e93a6c188151"}, {"source": "security-advisories@github.com", "tags": ["Exploit", "Vendor Advisory"], "url": "https://github.com/openemr/openemr/security/advisories/GHSA-q283-5j7f-r6hp"}, {"source": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "tags": ["Exploit", "Vendor Advisory"], "url": "https://github.com/openemr/openemr/security/advisories/GHSA-q283-5j7f-r6hp"}], "sourceIdentifier": "security-advisories@github.com", "vulnStatus": "Analyzed", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-79"}], "source": "security-advisories@github.com", "type": "Secondary"}]}

{}

{"affected": [{"configurations": [{"platform": null, "status": "affected", "versions": {"scheme": "generic", "value": "[0,8.0.0.2)"}}], "enrichment": {"confidence": 100.0, "confidence_source": "matching", "scores": [{"score": 100.0, "source": "matching"}]}, "original": {"product": "openemr", "source": "cna", "vendor": "openemr"}, "product": "openemr", "vendor": "openemr"}], "analysis": {"en": {"generated_at": "2026-03-20T18:23:46.313416+00:00", "value": {"mitigation_remediation": ["Upgrade OpenEMR to version 8.0.0.2 or later to eliminate the vulnerability.", "Restrict encounter\u2011form write permissions to trusted staff to reduce the opportunity for malicious input.", "If an upgrade cannot be applied immediately, disable or remove the SearchHighlight.js plugin to prevent the XSS from being triggered."], "summary": {"action": "Patch", "impact": "Stored DOM XSS"}, "threat_synthesis": {"affected_systems": "All OpenEMR releases prior to 8.0.0.2 are affected. The vulnerability requires an authenticated user with encounter form write permission and a victim who uses the Custom Report search function. The issue is isolated to the SearchHighlight.js plugin within the OpenEMR application.", "description_and_impact": "OpenEMR versions before 8.0.0.2 allow an authenticated user who can write encounter forms to store data that, when a clinician uses the search feature on the Custom Report page, is reconstructed as raw HTML by the SearchHighlight plugin and passes it to jQuery\u2019s $ constructor. This process executes embedded JavaScript in the victim\u2019s browser, giving the attacker the ability to run scripts with the victim\u2019s privileges. The description does not specify any additional capabilities beyond script execution.", "risk_and_exploitability": "The CVSS base score of 4.4 indicates low severity. EPSS is below 1%, suggesting exploitation is unlikely. The vulnerability is not listed in the KEV catalog. Based on the description, the likely attack vector involves the Custom Report search feature accessed by an authenticated user, and the impact is confined to client\u2011side script execution within the same OpenEMR instance. No information is provided about further consequences such as data exfiltration or privilege escalation, so those aspects remain unspecified."}}}}, "created": "2026-03-20T08:56:26.360744+00:00", "updated": "2026-03-25T11:55:11.005190+00:00", "vendors": ["openemr", "openemr$PRODUCT$openemr"]}