CVE-2025-32794

Name of the Vulnerable Software and Affected Versions OpenEMR versions prior to 7.0.3.4

Description A stored cross-site scripting (XSS) issue allows any authenticated user with patient creation privileges to inject arbitrary JavaScript code into the system by entering malicious payloads in the First and Last Name fields during patient registration. This code is later executed when viewing the patient's encounter under Orders → Procedure Orders.

Recommendations For versions prior to 7.0.3.4, update to version 7.0.3.4 to resolve the issue. As a temporary workaround, consider restricting access to the patient registration module to minimize the risk of exploitation. Avoid using the First and Last Name fields in the patient registration process until the issue is resolved.