Main Vulnerability Database Vulnerabilities #VU127238

Cross-site scripting in OpenEMR - CVE-2025-43860

Published: April 23, 2026

Vulnerability identifier: #VU127238

CSH Severity: Low

CVSS v4.0: CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:P/VC:N/VI:N/VA:N/SC:L/SI:L/SA:N/E:U/U:Clear

CVE-ID: CVE-2025-43860

CWE-ID: CWE-79

Exploitation vector: Remote access

Exploit availability: No public exploit available

Vendor: OpenEMR

Affected software:
OpenEMR

Detailed vulnerability description

The vulnerability allows a remote user to execute arbitrary JavaScript code in another user's browser.

The vulnerability exists due to cross-site scripting in the Additional Addresses section of Patient Demographics when rendering stored address field values and dropdown option values. A remote user can enter malicious payloads into the affected fields to execute arbitrary JavaScript code in another user's browser.

User interaction is required when the affected patient record is viewed or edited, and the script may execute during form input or when the stored data is later loaded for editing.

How to mitigate CVE-2025-43860

Install security update from vendor's website.

Sources

https://github.com/openemr/openemr/security/advisories/GHSA-2h9p-7vmc-wmqv

Cross-site scripting in OpenEMR - CVE-2025-43860

Detailed vulnerability description

How to mitigate CVE-2025-43860

Sources

Please verify you're human