CVE-2026-32118

Name of the Vulnerable Software and Affected Versions OpenEMR versions prior to 8.0.0.1

Description OpenEMR is a free and open source electronic health records and medical practice management application. A stored cross-site scripting (XSS) issue exists in the Graphical Pain Map ("clickmap") form. This allows any authenticated clinician to inject arbitrary JavaScript that executes in the browser of every subsequent user who views the affected encounter form. Because session cookies are not marked HttpOnly, this enables full session hijacking of other users, including administrators. The clickmap form is the point of injection for the malicious script. The vulnerability affects the session cookies, allowing for unauthorized access.

Recommendations Update OpenEMR to version 8.0.0.1 or later.