CVE-2026-32119

Name of the Vulnerable Software and Affected Versions OpenEMR versions prior to 8.0.0.2

Description OpenEMR is an electronic health records and medical practice management application. A DOM-based stored cross-site scripting issue exists in the jQuery SearchHighlight plugin (library/js/SearchHighlight.js). An authenticated user with encounter form write access can inject arbitrary JavaScript that executes in another clinician's browser session when using the search/find feature on the Custom Report page. The plugin reverses server-side HTML entity encoding by reading decoded text from DOM text nodes, concatenating it into a raw HTML string, and passing it to jQuery's $() constructor for HTML parsing.

Recommendations Update to OpenEMR version 8.0.0.2 or later.