What is the CVSS score of CVE-2025-69231?

CVE-2025-69231 has a CVSS 3.1 base score of 8.7 (High). CVSS vector: CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:H/I:H/A:N. EPSS exploitation probability: 0.2%.

Which versions of Openemr are affected by CVE-2025-69231?

OpenEMR installations are vulnerable to a HIGH severity exploit (CVE-2025-69231, CVSS 8.7) that is actively being exploited in the wild.. A patch is available.

Is there a public PoC exploit available for CVE-2025-69231?

Yes, a public proof-of-concept exploit is available for CVE-2025-69231. Prioritise patching immediately. EPSS: 0.2%.

How to fix or mitigate CVE-2025-69231?

Within 24 hours: Inventory all OpenEMR instances and isolate any non-critical systems from production networks pending patch deployment. Within 7 days: Apply the vendor patch to all OpenEMR systems in production; coordinate with clinical staff to minimize downtime during off-hours. Within 30 days: Conduct security validation testing on patched systems and perform forensic audit logs to determine if the vulnerability was exploited prior to patching.

Openemr CVE-2025-69231

HIGH

Cross-site Scripting (XSS) (CWE-79)

2026-02-25 security-advisories@github.com

XSS Privilege Escalation Openemr

8.7

CVSS 3.1 · GitHub Advisory

Severity by source

GitHub Advisory PRIMARY

8.7 HIGH

AV:N/AC:L/PR:L/UI:R/S:C/C:H/I:H/A:N

Primary rating from GitHub Advisory · only source for this CVE.

CVSS VectorGitHub Advisory

CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:H/I:H/A:N

Attack Vector

Network

Attack Complexity

Low

Privileges Required

Low

User Interaction

Required

Scope

Changed

Confidentiality

High

Integrity

High

Availability

None

Lifecycle Timeline

Analysis Generated

Mar 12, 2026 - 21:55 vuln.today

PoC Detected

Feb 25, 2026 - 17:01 vuln.today

Public exploit code

Patch released

Feb 25, 2026 - 17:01 nvd

Patch available

CVE Published

Feb 25, 2026 - 02:16 nvd

HIGH 8.7

DescriptionGitHub Advisory

OpenEMR is a free and open source electronic health records and medical practice management application. Prior to version 8.0.0, a stored cross-site scripting vulnerability in the GAD-7 anxiety assessment form allows authenticated users with clinician privileges to inject malicious JavaScript that executes when other users view the form. This enables session hijacking, account takeover, and privilege escalation from clinician to administrator. Version 8.0.0 fixes the issue.

AnalysisAI

OpenEMR is a free and open source electronic health records and medical practice management application. [CVSS 8.7 HIGH]

Technical ContextAI

Classified as CWE-79 (Cross-site Scripting (XSS)). Affects Openemr. OpenEMR is a free and open source electronic health records and medical practice management application. Prior to version 8.0.0, a stored cross-site scripting vulnerability in the GAD-7 anxiety assessment form allows authenticated users with clinician privileges to inject malicious JavaScript that executes when other users view the form. This enables session hijacking, account takeover, and privilege escalation from clinician to administrator. Version 8.0.0 fixes the issue.

RemediationAI

A vendor patch is available — apply it immediately. Implement output encoding and Content Security Policy headers. Restrict network access to the affected service where possible.

CVE-2025-69231 vulnerability details – vuln.today

Back