{"dataType": "CVE_RECORD", "dataVersion": "5.2", "cveMetadata": {"cveId": "CVE-2026-32124", "assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "state": "PUBLISHED", "assignerShortName": "GitHub_M", "dateReserved": "2026-03-10T22:19:36.545Z", "datePublished": "2026-03-11T20:50:41.372Z", "dateUpdated": "2026-03-12T14:12:43.517Z"}, "containers": {"cna": {"title": "OpenEMR: Dynamic Code Picker Renders Unescaped Descriptions (Stored XSS)", "problemTypes": [{"descriptions": [{"cweId": "CWE-79", "lang": "en", "description": "CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')", "type": "CWE"}]}], "metrics": [{"cvssV3_1": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "NONE", "baseScore": 5.4, "baseSeverity": "MEDIUM", "confidentialityImpact": "LOW", "integrityImpact": "LOW", "privilegesRequired": "LOW", "scope": "CHANGED", "userInteraction": "REQUIRED", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N", "version": "3.1"}}], "references": [{"name": "https://github.com/openemr/openemr/security/advisories/GHSA-9hw7-22mr-qhfc", "tags": ["x_refsource_CONFIRM"], "url": "https://github.com/openemr/openemr/security/advisories/GHSA-9hw7-22mr-qhfc"}], "affected": [{"vendor": "openemr", "product": "openemr", "versions": [{"version": "< 8.0.0.1", "status": "affected"}]}], "providerMetadata": {"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "shortName": "GitHub_M", "dateUpdated": "2026-03-11T20:50:41.372Z"}, "descriptions": [{"lang": "en", "value": "OpenEMR is a free and open source electronic health records and medical practice management application. Prior to 8.0.0.1, the dynamic code picker AJAX endpoint returns code descriptions (code_text) that are rendered in the front end (e.g. DataTables) without HTML escaping. If an administrator (or user with code management rights) creates or edits a code with a malicious description containing script, that script runs in the browser of every user who uses the picker. This vulnerability is fixed in 8.0.0.1."}], "source": {"advisory": "GHSA-9hw7-22mr-qhfc", "discovery": "UNKNOWN"}}, "adp": [{"metrics": [{"other": {"type": "ssvc", "content": {"timestamp": "2026-03-12T14:12:22.952469Z", "id": "CVE-2026-32124", "options": [{"Exploitation": "poc"}, {"Automatable": "no"}, {"Technical Impact": "partial"}], "role": "CISA Coordinator", "version": "2.0.3"}}}], "title": "CISA ADP Vulnrichment", "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2026-03-12T14:12:43.517Z"}}]}}

{"dataType": "CVE_RECORD", "containers": {"adp": [{"title": "CISA ADP Vulnrichment", "metrics": [{"other": {"type": "ssvc", "content": {"id": "CVE-2026-32124", "role": "CISA Coordinator", "options": [{"Exploitation": "poc"}, {"Automatable": "no"}, {"Technical Impact": "partial"}], "version": "2.0.3", "timestamp": "2026-03-12T14:12:22.952469Z"}}}], "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2026-03-12T14:12:38.693Z"}}], "cna": {"title": "OpenEMR: Dynamic Code Picker Renders Unescaped Descriptions (Stored XSS)", "source": {"advisory": "GHSA-9hw7-22mr-qhfc", "discovery": "UNKNOWN"}, "metrics": [{"cvssV3_1": {"scope": "CHANGED", "version": "3.1", "baseScore": 5.4, "attackVector": "NETWORK", "baseSeverity": "MEDIUM", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N", "integrityImpact": "LOW", "userInteraction": "REQUIRED", "attackComplexity": "LOW", "availabilityImpact": "NONE", "privilegesRequired": "LOW", "confidentialityImpact": "LOW"}}], "affected": [{"vendor": "openemr", "product": "openemr", "versions": [{"status": "affected", "version": "< 8.0.0.1"}]}], "references": [{"url": "https://github.com/openemr/openemr/security/advisories/GHSA-9hw7-22mr-qhfc", "name": "https://github.com/openemr/openemr/security/advisories/GHSA-9hw7-22mr-qhfc", "tags": ["x_refsource_CONFIRM"]}], "descriptions": [{"lang": "en", "value": "OpenEMR is a free and open source electronic health records and medical practice management application. Prior to 8.0.0.1, the dynamic code picker AJAX endpoint returns code descriptions (code_text) that are rendered in the front end (e.g. DataTables) without HTML escaping. If an administrator (or user with code management rights) creates or edits a code with a malicious description containing script, that script runs in the browser of every user who uses the picker. This vulnerability is fixed in 8.0.0.1."}], "problemTypes": [{"descriptions": [{"lang": "en", "type": "CWE", "cweId": "CWE-79", "description": "CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')"}]}], "providerMetadata": {"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "shortName": "GitHub_M", "dateUpdated": "2026-03-11T20:50:41.372Z"}}}, "cveMetadata": {"cveId": "CVE-2026-32124", "state": "PUBLISHED", "dateUpdated": "2026-03-12T14:12:43.517Z", "dateReserved": "2026-03-10T22:19:36.545Z", "assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "datePublished": "2026-03-11T20:50:41.372Z", "assignerShortName": "GitHub_M"}, "dataVersion": "5.2"}

{"configurations": [{"nodes": [{"cpeMatch": [{"criteria": "cpe:2.3:a:open-emr:openemr:*:*:*:*:*:*:*:*", "matchCriteriaId": "136D07EE-9108-423B-AD86-E9E901940C17", "versionEndExcluding": "8.0.0.1", "vulnerable": true}], "negate": false, "operator": "OR"}]}], "cveTags": [], "descriptions": [{"lang": "en", "value": "OpenEMR is a free and open source electronic health records and medical practice management application. Prior to 8.0.0.1, the dynamic code picker AJAX endpoint returns code descriptions (code_text) that are rendered in the front end (e.g. DataTables) without HTML escaping. If an administrator (or user with code management rights) creates or edits a code with a malicious description containing script, that script runs in the browser of every user who uses the picker. This vulnerability is fixed in 8.0.0.1."}, {"lang": "es", "value": "OpenEMR es una aplicaci\u00f3n gratuita y de c\u00f3digo abierto de registros m\u00e9dicos electr\u00f3nicos y gesti\u00f3n de consultorios m\u00e9dicos. Antes de la 8.0.0.1, el endpoint AJAX del selector de c\u00f3digos din\u00e1mico devuelve descripciones de c\u00f3digos (code_text) que se renderizan en el frontend (p. ej., DataTables) sin escape HTML. Si un administrador (o un usuario con derechos de gesti\u00f3n de c\u00f3digos) crea o edita un c\u00f3digo con una descripci\u00f3n maliciosa que contiene un script, ese script se ejecuta en el navegador de cada usuario que utiliza el selector. Esta vulnerabilidad se ha corregido en la 8.0.0.1."}], "id": "CVE-2026-32124", "lastModified": "2026-03-13T15:47:23.440", "metrics": {"cvssMetricV31": [{"cvssData": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "NONE", "baseScore": 5.4, "baseSeverity": "MEDIUM", "confidentialityImpact": "LOW", "integrityImpact": "LOW", "privilegesRequired": "LOW", "scope": "CHANGED", "userInteraction": "REQUIRED", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N", "version": "3.1"}, "exploitabilityScore": 2.3, "impactScore": 2.7, "source": "security-advisories@github.com", "type": "Secondary"}]}, "published": "2026-03-11T21:16:18.353", "references": [{"source": "security-advisories@github.com", "tags": ["Exploit", "Vendor Advisory"], "url": "https://github.com/openemr/openemr/security/advisories/GHSA-9hw7-22mr-qhfc"}], "sourceIdentifier": "security-advisories@github.com", "vulnStatus": "Analyzed", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-79"}], "source": "security-advisories@github.com", "type": "Primary"}]}

{}

{"affected": [{"configurations": [{"platform": null, "status": "affected", "versions": {"scheme": "generic", "value": "[0,8.0.0.1)"}}], "enrichment": {"confidence": 100.0, "confidence_source": "matching", "scores": [{"score": 100.0, "source": "matching"}]}, "original": {"product": "openemr", "source": "cna", "vendor": "openemr"}, "product": "openemr", "vendor": "openemr"}], "analysis": {"en": {"generated_at": "2026-04-16T02:59:46.724014+00:00", "value": {"mitigation_remediation": ["Upgrade to OpenEMR 8.0.0.1 or later to eliminate the stored XSS flaw.", "Invalidate any cached or stored code picker data that may contain old malicious descriptions to prevent residual attacks during transition.", "Restrict the ability to create or edit code descriptions to highly trusted administrators and audit these privileges regularly.", "Implement a Content\u2011Security\u2011Policy that disallows inline scripts, providing an additional safety net if the bug is inadvertently re\u2011introduced."], "summary": {"action": "Apply Patch", "impact": "Stored Cross\u2011Site Scripting that runs in users\u2019 browsers"}, "threat_synthesis": {"affected_systems": "OpenEMR versions earlier than 8.0.0.1 are affected. The issue arises in the AJAX endpoint that returns code_text for code pickers used in many parts of the application. The fix was implemented in OpenEMR 8.0.0.1.", "description_and_impact": "This vulnerability allows a malicious code description to be stored in the database and rendered by the dynamic code picker endpoint without HTML escaping. An attacker who can create or edit a code\u2014typically an administrator or a user with code\u2011management rights\u2014can inject arbitrary JavaScript. When any user opens the picker, the script executes in their browser, enabling phishing attacks, credential theft, or session hijacking.", "risk_and_exploitability": "The CVSS score is 5.4, indicating moderate severity. EPSS is under 1\u202f%, suggesting exploitation is currently unlikely, and the vulnerability is not listed in CISA\u2019s KEV catalog. Exploitation requires authenticated access to the code\u2011management interface; unauthenticated users cannot inject payloads. Therefore the threat is confined to environments where privileged users are compromised or maliciously enabled."}}}}, "created": "2026-03-12T09:55:53.386801+00:00", "updated": "2026-04-16T03:00:09.189352+00:00", "vendors": ["openemr", "openemr$PRODUCT$openemr"]}