CVE-2026-32118CRITICAL 9.0EPSS p19.7%

CVE-2026-32118CVE-2026-32118

Description

OpenEMR is a free and open source electronic health records and medical practice management application. Prior to 8.0.0.1, stored cross-site scripting (XSS) in the Graphical Pain Map ("clickmap") form allows any authenticated clinician to inject arbitrary JavaScript that executes in the browser of every subsequent user who views the affected encounter form. Because session cookies are not marked HttpOnly, this enables full session hijacking of other users, including administrators. This vulnerability is fixed in 8.0.0.1.

Scoring

CVSS 3.19.0 (CRITICAL)
VectorCVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:H/I:H/A:H
EPSS0.28% probability of exploitation · percentile 19.7% · 2026-06-18T12:00:27Z
Published2026-03-11
Last modified2026-03-13

Underlying weaknesses· 1

CWE-79

References

  1. https://github.com/openemr/openemr/security/advisories/GHSA-55qj-x8wh-m4rm

1

TypeTargetConfidenceTier
WeaknessImproper Neutralization of Input During Web Page Generation ('Cross-site Scripting')cwe-790%live

Related by meaning· 6

Nearest entities by semantic similarity across the cs-graph corpus.

CVE
CVE-2026-32127
CVE
CVE-2026-33346
CVE
CVE-2026-46518
CVE
CVE-2026-33301
CVE
CVE-2026-33910
CVE
CVE-2026-33917
Sourced from NVD + FIRST.org EPSS. Curated for EU compliance use cases by Adam Lundqvist, Founder at SQUR.