Main Vulnerability Database Vulnerabilities #VU127308

Cross-site scripting in OpenEMR - CVE-2026-32124

Published: April 23, 2026

Vulnerability identifier: #VU127308

CSH Severity: Low

CVSS v4.0: CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:P/VC:N/VI:N/VA:N/SC:L/SI:L/SA:N/E:U/U:Clear

CVE-ID: CVE-2026-32124

CWE-ID: CWE-79

Exploitation vector: Remote access

Exploit availability: No public exploit available

Vendor: OpenEMR

Affected software:
OpenEMR

Detailed vulnerability description

The vulnerability allows a remote user to execute arbitrary script in a victim's browser.

The vulnerability exists due to improper neutralization of input during web page generation in the dynamic code picker code description rendering path when displaying stored code descriptions returned by the AJAX endpoint. A remote user can create or edit a code entry with a malicious description to execute arbitrary script in a victim's browser.

User interaction is required when a victim opens a form or screen that uses the dynamic code picker.

How to mitigate CVE-2026-32124

Install security update from vendor's website.

Sources

https://github.com/openemr/openemr/security/advisories/GHSA-9hw7-22mr-qhfc

Cross-site scripting in OpenEMR - CVE-2026-32124

Detailed vulnerability description

How to mitigate CVE-2026-32124

Sources

Please verify you're human