Main Vulnerability Database Vulnerabilities #VU127251

Improper Encoding or Escaping of Output in OpenEMR - CVE-2026-21443

Published: April 23, 2026

Vulnerability identifier: #VU127251

CSH Severity: Low

CVSS v4.0: CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:A/VC:L/VI:L/VA:N/SC:N/SI:N/SA:N/E:U/U:Clear

CVE-ID: CVE-2026-21443

CWE-ID: CWE-116

Exploitation vector: Remote access

Exploit availability: No public exploit available

Vendor: OpenEMR

Affected software:
OpenEMR

Detailed vulnerability description

The vulnerability allows a remote user to execute arbitrary script code in a user's browser.

The vulnerability exists due to improper encoding or escaping of output in the xl() translation function output and related translation wrappers when rendering translation strings in HTML, XML, or JavaScript contexts without proper escaping. A remote user can insert malicious content into the translation database to execute arbitrary script code in a user's browser.

Exploitation requires the ability to modify translation table contents in the database.

How to mitigate CVE-2026-21443

Install security update from vendor's website.

Sources

https://github.com/openemr/openemr/security/advisories/GHSA-3f9j-cqjj-7h46

Improper Encoding or Escaping of Output in OpenEMR - CVE-2026-21443

Detailed vulnerability description

How to mitigate CVE-2026-21443

Sources

Please verify you're human