CVE-2026-32124 - Vulnerability Analysis
MediumCVSS: 5.4Last Updated: March 13, 2026
OpenEMR - Stored XSS
Published: March 11, 2026Updated: March 13, 2026PoC AvailableRemote Exploitable
Overview
OpenEMR < 8.0.0.1 contains a stored XSS caused by lack of HTML escaping in dynamic code picker AJAX endpoint, letting administrators or users with code management rights execute scripts in other users' browsers, exploit requires code management privileges.
Severity & Score
Severity: Medium
CVSS Score: 5.4
Impact
Attackers with code management rights can execute scripts in other users' browsers, potentially stealing session data or performing actions on their behalf.
Mitigation
Update to version 8.0.0.1 or later.
Related Resources
Details
- CVE ID
- CVE-2026-32124
- Severity
- Medium
- CVSS Score
- 5.4
- Type
- stored_xss
- Status
- confirmed
CWE
- CWE-79
CVSS Metrics
CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N