Skip to main content

OpenEMR CVE-2026-46518

HIGH
Cross-site Scripting (XSS) (CWE-79)
2026-06-09 GitHub_M
CSRF XSS Openemr
8.7
CVSS 3.1 · NVD
Share

Severity by source

NVD PRIMARY
8.7 HIGH
AV:N/AC:L/PR:L/UI:R/S:C/C:H/I:H/A:N
vuln.today AI
8.7 HIGH

Network-reachable stored XSS exploitable by a low-privileged portal user (PR:L); requires clinician to open multi-print view (UI:R); scope changes to clinician UI with high C/I, no availability impact.

3.1 AV:N/AC:L/PR:L/UI:R/S:C/C:H/I:H/A:N
4.0 AV:N/AC:L/AT:N/PR:L/UI:P/VC:H/VI:H/VA:N/SC:H/SI:H/SA:N

Primary rating from NVD.

CVSS VectorNVD

CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:H/I:H/A:N
Attack Vector
Network
Attack Complexity
Low
Privileges Required
Low
User Interaction
Required
Scope
Changed
Confidentiality
High
Integrity
High
Availability
None

Lifecycle Timeline

5
Analysis Updated
Jun 11, 2026 - 18:43 vuln.today
v3 (cvss_changed)
Analysis Updated
Jun 11, 2026 - 18:43 vuln.today
v2 (cvss_changed)
Re-analysis Queued
Jun 11, 2026 - 18:37 vuln.today
cvss_changed
CVSS changed
Jun 11, 2026 - 18:37 NVD
7.7 (HIGH) 8.7 (HIGH)
Analysis Generated
Jun 09, 2026 - 23:50 vuln.today

DescriptionNVD

OpenEMR is a free and open source electronic health records and medical practice management application. Prior to version 8.0.0.1, a stored cross-site scripting vulnerability in the prescription CSS/HTML multi-print feature allows a patient portal user to execute arbitrary JavaScript in a clinician's browser session. Patient demographic fields (name, address) are rendered without output encoding in multiprintcss_header(), and portal patients can write attacker-controlled HTML directly into patient_data by calling the PUT api/patient/:num endpoint, which bypasses the intended audit review workflow. Because the XSS fires in the clinician's authenticated session on the main OpenEMR interface, the attacker can access CSRF tokens, session data, and perform actions as the clinician - crossing the patient-to-clinician trust boundary. This issue has been patched in version 8.0.0.1.

AnalysisAI

Stored cross-site scripting in OpenEMR before 8.0.0.1 lets an authenticated patient portal user inject HTML/JavaScript into demographic fields via the PUT api/patient/:num endpoint, which fires later in a clinician's authenticated session when the prescription CSS/HTML multi-print feature renders the patient name and address without output encoding. Because the payload executes inside the main OpenEMR UI under the clinician's session, the attacker crosses the patient-to-clinician trust boundary and can steal CSRF tokens, exfiltrate session data, and perform privileged actions as the clinician. …

Unlock full vulnerability intelligence

  • Risk assessment & exploitation conditions
  • Attack chain visualization
  • Remediation with exact patch versions
  • Threat intelligence from 22 sources
  • Personal watchlist & email alerts
Continue with Google Continue with GitHub

Free forever · No credit card required

Attack ChainAIDerived

Hypothetical attack flow derived from CVE metadata

Recon
Register or log in to patient portal
Delivery
Send PUT api/patient/:num with HTML payload in name/address
Exploit
Payload stored in patient_data, audit review bypassed
Install
Clinician opens prescription multi-print view
C2
multiprintcss_header() renders payload unencoded
Execute
Script executes in clinician's authenticated session
Impact
Exfiltrate CSRF/session and act as clinician
Sign in to reveal

Vulnerability AssessmentAI

Exploitation Requires (1) an authenticated patient portal account on the target OpenEMR instance (PR:L) with permission to call the PUT api/patient/:num REST endpoint, (2) the OpenEMR patient portal and REST API to be enabled and reachable by the attacker, and (3) a clinician to subsequently open the prescription CSS/HTML multi-print view for the attacker-controlled patient record (UI:R) so multiprintcss_header() renders the unsanitized name/address. … Additional conditions and limiting factors are described in the full assessment.
Risk Assessment Signals are mixed but coherent. … Full risk analysis with EPSS, KEV, and SSVC signal comparison available after sign-in.
Exploit Scenario A registered patient portal user (or attacker who self-registers, where permitted) calls PUT api/patient/:num with a name or address field containing a script payload such as an event-handler-bearing image tag, bypassing the normal audit-review queue. Later, a clinician opens the prescription CSS/HTML multi-print view for that patient; the payload executes in the clinician's authenticated OpenEMR session and exfiltrates the CSRF token and session cookie, or issues authenticated requests (create users, modify records) on the clinician's behalf. …
Remediation Vendor-released patch: upgrade OpenEMR to 8.0.0.1 or later, as described in advisory https://github.com/openemr/openemr/security/advisories/GHSA-4gh4-q39r-45wf. … Detailed patch versions, workarounds, and compensating controls in full report.
Sign in to read full assessment

Recommended ActionAI

24 hours: Inventory all OpenEMR installations and confirm current version numbers; flag any versions prior to 8.0.0.1 as vulnerable. …

Sign in for detailed remediation steps and compensating controls.

Threat intelligence, references, and detailed analysis are available after sign-in.

Share

CVE-2026-46518 vulnerability details – vuln.today
Back

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy