CVE-2026-21443

Name of the Vulnerable Software and Affected Versions OpenEMR versions prior to 8.0.0

Description OpenEMR is an electronic health records and medical practice management application. Before version 8.0.0, the xl() translation function does not properly escape strings. The application includes wrapper functions for escaping in different contexts (xlt() for HTML, xla() for attributes, xlj() for JavaScript), but the xl() function’s output is sometimes used directly without escaping. If an attacker can inject malicious content into the translation database, this could lead to cross-site scripting (XSS). The xl() function is used to retrieve translated strings.

Recommendations Update to version 8.0.0 or later.