SB20260423160 - Multiple vulnerabilities in OpenEMR
Published: April 23, 2026
Breakdown by Severity
- Low
- Medium
- High
- Critical
Description
This security bulletin contains information about 3 vulnerabilities.
1) Cross-site scripting (CVE-ID: CVE-2025-43860)
CWE-ID: CWE-79 - Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')
CVSSv4: CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:P/VC:N/VI:N/VA:N/SC:L/SI:L/SA:N/E:U/U:Clear
The vulnerability allows a remote user to execute arbitrary JavaScript code in another user's browser.
The vulnerability exists due to cross-site scripting in the Additional Addresses section of Patient Demographics when rendering stored address field values and dropdown option values. A remote user can enter malicious payloads into the affected fields to execute arbitrary JavaScript code in another user's browser.
User interaction is required when the affected patient record is viewed or edited, and the script may execute during form input or when the stored data is later loaded for editing.
2) Cross-site scripting (CVE-ID: CVE-2025-32794)
CWE-ID: CWE-79 - Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')
CVSSv4: CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:P/VC:N/VI:N/VA:N/SC:L/SI:L/SA:N/E:U/U:Clear
The vulnerability allows a remote user to execute arbitrary JavaScript in a victim's browser.
The vulnerability exists due to improper neutralization of input during web page generation in the Procedure Orders page when rendering patient names from the First and Last Name fields. A remote user can enter a crafted patient name during patient registration to execute arbitrary JavaScript in a victim's browser.
User interaction is required when another user views the affected patient's encounter under Orders > Procedure Orders.
3) Insufficient Logging (CVE-ID: CVE-2025-32967)
CWE-ID: CWE-778 - Insufficient Logging
CVSSv4: CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:L/VI:L/VA:N/SC:N/SI:N/SA:N/E:U/U:Clear
The vulnerability allows a remote user to weaken auditability of password change actions.
The vulnerability exists due to insufficient logging in the client-side log viewer and related password change logging functionality when handling password change events through the user interface. A remote user can change a password through the application interface to weaken auditability of password change actions.
Server-side log entries may appear only as vague update events and may not clearly identify the action as a password change.
Remediation
Install update from vendor's website.