{"dataType": "CVE_RECORD", "dataVersion": "5.2", "cveMetadata": {"cveId": "CVE-2026-32125", "assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "state": "PUBLISHED", "assignerShortName": "GitHub_M", "dateReserved": "2026-03-10T22:19:36.545Z", "datePublished": "2026-03-11T20:51:32.276Z", "dateUpdated": "2026-03-12T14:13:44.208Z"}, "containers": {"cna": {"title": "OpenEMR: Stored XSS in Track Anything Graphs via Unescaped Dygraph Titles/Labels", "problemTypes": [{"descriptions": [{"cweId": "CWE-79", "lang": "en", "description": "CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')", "type": "CWE"}]}], "metrics": [{"cvssV3_1": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "NONE", "baseScore": 5.4, "baseSeverity": "MEDIUM", "confidentialityImpact": "LOW", "integrityImpact": "LOW", "privilegesRequired": "LOW", "scope": "CHANGED", "userInteraction": "REQUIRED", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N", "version": "3.1"}}], "references": [{"name": "https://github.com/openemr/openemr/security/advisories/GHSA-244w-vxhp-7x99", "tags": ["x_refsource_CONFIRM"], "url": "https://github.com/openemr/openemr/security/advisories/GHSA-244w-vxhp-7x99"}], "affected": [{"vendor": "openemr", "product": "openemr", "versions": [{"version": "< 8.0.0.1", "status": "affected"}]}], "providerMetadata": {"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "shortName": "GitHub_M", "dateUpdated": "2026-03-11T20:51:32.276Z"}, "descriptions": [{"lang": "en", "value": "OpenEMR is a free and open source electronic health records and medical practice management application. Prior to 8.0.0.1, track/item names from the Track Anything feature are stored from user input (POST) and later rendered in Dygraph charts (titles/labels) using innerHTML or equivalent without escaping. A user who can create or edit Track Anything items can inject script that runs when any user views the corresponding graph. This vulnerability is fixed in 8.0.0.1."}], "source": {"advisory": "GHSA-244w-vxhp-7x99", "discovery": "UNKNOWN"}}, "adp": [{"metrics": [{"other": {"type": "ssvc", "content": {"timestamp": "2026-03-12T14:13:17.457098Z", "id": "CVE-2026-32125", "options": [{"Exploitation": "poc"}, {"Automatable": "no"}, {"Technical Impact": "partial"}], "role": "CISA Coordinator", "version": "2.0.3"}}}], "title": "CISA ADP Vulnrichment", "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2026-03-12T14:13:44.208Z"}}]}}

{"dataType": "CVE_RECORD", "containers": {"adp": [{"title": "CISA ADP Vulnrichment", "metrics": [{"other": {"type": "ssvc", "content": {"id": "CVE-2026-32125", "role": "CISA Coordinator", "options": [{"Exploitation": "poc"}, {"Automatable": "no"}, {"Technical Impact": "partial"}], "version": "2.0.3", "timestamp": "2026-03-12T14:13:17.457098Z"}}}], "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2026-03-12T14:13:38.278Z"}}], "cna": {"title": "OpenEMR: Stored XSS in Track Anything Graphs via Unescaped Dygraph Titles/Labels", "source": {"advisory": "GHSA-244w-vxhp-7x99", "discovery": "UNKNOWN"}, "metrics": [{"cvssV3_1": {"scope": "CHANGED", "version": "3.1", "baseScore": 5.4, "attackVector": "NETWORK", "baseSeverity": "MEDIUM", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N", "integrityImpact": "LOW", "userInteraction": "REQUIRED", "attackComplexity": "LOW", "availabilityImpact": "NONE", "privilegesRequired": "LOW", "confidentialityImpact": "LOW"}}], "affected": [{"vendor": "openemr", "product": "openemr", "versions": [{"status": "affected", "version": "< 8.0.0.1"}]}], "references": [{"url": "https://github.com/openemr/openemr/security/advisories/GHSA-244w-vxhp-7x99", "name": "https://github.com/openemr/openemr/security/advisories/GHSA-244w-vxhp-7x99", "tags": ["x_refsource_CONFIRM"]}], "descriptions": [{"lang": "en", "value": "OpenEMR is a free and open source electronic health records and medical practice management application. Prior to 8.0.0.1, track/item names from the Track Anything feature are stored from user input (POST) and later rendered in Dygraph charts (titles/labels) using innerHTML or equivalent without escaping. A user who can create or edit Track Anything items can inject script that runs when any user views the corresponding graph. This vulnerability is fixed in 8.0.0.1."}], "problemTypes": [{"descriptions": [{"lang": "en", "type": "CWE", "cweId": "CWE-79", "description": "CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')"}]}], "providerMetadata": {"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "shortName": "GitHub_M", "dateUpdated": "2026-03-11T20:51:32.276Z"}}}, "cveMetadata": {"cveId": "CVE-2026-32125", "state": "PUBLISHED", "dateUpdated": "2026-03-12T14:13:44.208Z", "dateReserved": "2026-03-10T22:19:36.545Z", "assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "datePublished": "2026-03-11T20:51:32.276Z", "assignerShortName": "GitHub_M"}, "dataVersion": "5.2"}

{"configurations": [{"nodes": [{"cpeMatch": [{"criteria": "cpe:2.3:a:open-emr:openemr:*:*:*:*:*:*:*:*", "matchCriteriaId": "136D07EE-9108-423B-AD86-E9E901940C17", "versionEndExcluding": "8.0.0.1", "vulnerable": true}], "negate": false, "operator": "OR"}]}], "cveTags": [], "descriptions": [{"lang": "en", "value": "OpenEMR is a free and open source electronic health records and medical practice management application. Prior to 8.0.0.1, track/item names from the Track Anything feature are stored from user input (POST) and later rendered in Dygraph charts (titles/labels) using innerHTML or equivalent without escaping. A user who can create or edit Track Anything items can inject script that runs when any user views the corresponding graph. This vulnerability is fixed in 8.0.0.1."}, {"lang": "es", "value": "OpenEMR es una aplicaci\u00f3n gratuita y de c\u00f3digo abierto para la gesti\u00f3n de registros m\u00e9dicos electr\u00f3nicos y la pr\u00e1ctica m\u00e9dica. Previo a la versi\u00f3n 8.0.0.1, los nombres de pistas/elementos de la funci\u00f3n 'Track Anything' se almacenan a partir de la entrada del usuario (POST) y luego se renderizan en gr\u00e1ficos Dygraph (t\u00edtulos/etiquetas) utilizando innerHTML o equivalente sin escape. Un usuario que puede crear o editar elementos de 'Track Anything' puede inyectar scripts que se ejecutan cuando cualquier usuario ve el gr\u00e1fico correspondiente. Esta vulnerabilidad se corrige en la versi\u00f3n 8.0.0.1."}], "id": "CVE-2026-32125", "lastModified": "2026-03-13T15:47:01.130", "metrics": {"cvssMetricV31": [{"cvssData": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "NONE", "baseScore": 5.4, "baseSeverity": "MEDIUM", "confidentialityImpact": "LOW", "integrityImpact": "LOW", "privilegesRequired": "LOW", "scope": "CHANGED", "userInteraction": "REQUIRED", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N", "version": "3.1"}, "exploitabilityScore": 2.3, "impactScore": 2.7, "source": "security-advisories@github.com", "type": "Secondary"}]}, "published": "2026-03-11T21:16:18.540", "references": [{"source": "security-advisories@github.com", "tags": ["Exploit", "Vendor Advisory"], "url": "https://github.com/openemr/openemr/security/advisories/GHSA-244w-vxhp-7x99"}], "sourceIdentifier": "security-advisories@github.com", "vulnStatus": "Analyzed", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-79"}], "source": "security-advisories@github.com", "type": "Primary"}]}

{}

{"affected": [{"configurations": [{"platform": null, "status": "affected", "versions": {"scheme": "generic", "value": "[0,8.0.0.1)"}}], "enrichment": {"confidence": 100.0, "confidence_source": "matching", "scores": [{"score": 100.0, "source": "matching"}]}, "original": {"product": "openemr", "source": "cna", "vendor": "openemr"}, "product": "openemr", "vendor": "openemr"}], "analysis": {"en": {"generated_at": "2026-03-17T16:21:43.859422+00:00", "value": {"mitigation_remediation": ["Upgrade OpenEMR to version 8.0.0.1 or later."], "summary": {"action": "Patch", "impact": "Stored Cross\u2011Site Scripting (XSS) in Chart Titles"}, "threat_synthesis": {"affected_systems": "The issue exists in OpenEMR versions prior to 8.0.0.1. All installations running any release before that patch are affected; the fix is applied in OpenEMR 8.0.0.1 and later.", "description_and_impact": "OpenEMR stores user supplied track names from the Track Anything feature without escaping them, and these names are later rendered in Dygraph charts using innerHTML or equivalent. This allows an attacker with the ability to create or edit items to inject script that runs in the browser of any user who views the corresponding graph. The vulnerability can lead to execution of arbitrary JavaScript, potentially enabling session hijacking, data theft or phishing. The weakness is categorized as CWE-79.", "risk_and_exploitability": "The CVSS base score is 5.4, indicating moderate severity. The EPSS score is below 1\u202f%, suggesting low probability of exploitation in the wild. The vulnerability is not listed in the CISA KEV catalog. Exploitation requires an attacker to have write access to Track Anything items and then a victim to view the graph, making it a stored XSS that can be triggered by any user who views the chart after the payload is stored. Given the moderate score and low exploit likelihood, the risk is considered moderate but should be mitigated promptly."}}}}, "created": "2026-03-12T09:55:52.460293+00:00", "updated": "2026-03-20T15:37:00.604766+00:00", "vendors": ["openemr", "openemr$PRODUCT$openemr"]}