CVE-2026-32125 - Vulnerability Analysis
MediumCVSS: 5.4Last Updated: March 13, 2026
OpenEMR - Stored XSS
Published: March 11, 2026Updated: March 13, 2026PoC AvailableRemote Exploitable
Overview
OpenEMR < 8.0.0.1 contains a stored XSS caused by unescaped user input in Track Anything item names rendered in Dygraph charts, letting authenticated users inject scripts executed by any viewer, exploit requires user to create or edit items.
Severity & Score
Severity: Medium
CVSS Score: 5.4
Impact
Authenticated users can inject scripts executed by any user viewing the graph, leading to client-side code execution and potential session hijacking.
Mitigation
Update to version 8.0.0.1 or later.
Related Resources
Details
- CVE ID
- CVE-2026-32125
- Severity
- Medium
- CVSS Score
- 5.4
- Type
- stored_xss
- Status
- confirmed
CWE
- CWE-79
CVSS Metrics
CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N