SB20260423160 - Multiple vulnerabilities in OpenEMR



SB20260423160 - Multiple vulnerabilities in OpenEMR

Published: April 23, 2026

Security Bulletin ID SB20260423160
CSH Severity
Low
Patch available
YES
Number of vulnerabilities 3
Exploitation vector Remote access
Highest impact Data manipulation

Breakdown by Severity

Low 100%
  • Low
  • Medium
  • High
  • Critical

Description

This security bulletin contains information about 3 vulnerabilities.


1) Cross-site scripting (CVE-ID: CVE-2025-43860)

CWE-ID: CWE-79 - Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')

CVSSv4: CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:P/VC:N/VI:N/VA:N/SC:L/SI:L/SA:N/E:U/U:Clear


The vulnerability allows a remote user to execute arbitrary JavaScript code in another user's browser.

The vulnerability exists due to cross-site scripting in the Additional Addresses section of Patient Demographics when rendering stored address field values and dropdown option values. A remote user can enter malicious payloads into the affected fields to execute arbitrary JavaScript code in another user's browser.

User interaction is required when the affected patient record is viewed or edited, and the script may execute during form input or when the stored data is later loaded for editing.


2) Cross-site scripting (CVE-ID: CVE-2025-32794)

CWE-ID: CWE-79 - Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')

CVSSv4: CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:P/VC:N/VI:N/VA:N/SC:L/SI:L/SA:N/E:U/U:Clear


The vulnerability allows a remote user to execute arbitrary JavaScript in a victim's browser.

The vulnerability exists due to improper neutralization of input during web page generation in the Procedure Orders page when rendering patient names from the First and Last Name fields. A remote user can enter a crafted patient name during patient registration to execute arbitrary JavaScript in a victim's browser.

User interaction is required when another user views the affected patient's encounter under Orders > Procedure Orders.


3) Insufficient Logging (CVE-ID: CVE-2025-32967)

CWE-ID: CWE-778 - Insufficient Logging

CVSSv4: CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:L/VI:L/VA:N/SC:N/SI:N/SA:N/E:U/U:Clear


The vulnerability allows a remote user to weaken auditability of password change actions.

The vulnerability exists due to insufficient logging in the client-side log viewer and related password change logging functionality when handling password change events through the user interface. A remote user can change a password through the application interface to weaken auditability of password change actions.

Server-side log entries may appear only as vague update events and may not clearly identify the action as a password change.


Remediation

Install update from vendor's website.