CVE-2026-32124

Name of the Vulnerable Software and Affected Versions OpenEMR versions prior to 8.0.0.1

Description OpenEMR is a free and open source electronic health records and medical practice management application. Prior to version 8.0.0.1, the dynamic code picker ''/ajax/dynamic code picker'' endpoint returns code descriptions (code text) that are rendered in the front end (e.g., DataTables) without HTML escaping. If an administrator or a user with code management rights creates or edits a code with a malicious description containing a script, that script executes in the browser of every user who uses the picker.

Recommendations Update to version 8.0.0.1 or later.