CVE-2026-32125

Name of the Vulnerable Software and Affected Versions OpenEMR versions prior to 8.0.0.1

Description OpenEMR is a free and open source electronic health records and medical practice management application. Prior to version 8.0.0.1, names associated with items in the 'Track Anything' feature are taken directly from user input (via POST requests) and displayed in Dygraph charts (titles and labels) without proper sanitization. This allows a user with the ability to create or edit 'Track Anything' items to inject malicious script that will execute when any user views the corresponding graph. The issue involves the use of innerHTML or similar methods without escaping, leading to potential cross-site scripting (XSS). The vulnerable component is the rendering of track/item names in Dygraph charts.

Recommendations Update OpenEMR to version 8.0.0.1 or later.