Stored Cross-Site Scripting Vulnerability in OpenEMR by OpenEMR
CVE-2025-69231

8.7HIGH

Key Information:

Vendor

Openemr

Status
Vendor
CVE Published:
25 February 2026

What is CVE-2025-69231?

A stored cross-site scripting vulnerability exists within the GAD-7 anxiety assessment form in OpenEMR versions prior to 8.0.0. This flaw allows authenticated users with clinician privileges to inject malicious JavaScript code. When other users access the form, this code executes, potentially leading to session hijacking, account takeover, and unauthorized privilege escalation. The vulnerability highlights the importance of secure coding practices and user access management in healthcare applications.

Affected Version(s)

openemr < 8.0.0

References

CVSS V3.1

Score:
8.7
Severity:
HIGH
Confidentiality:
High
Integrity:
High
Availability:
High
Attack Vector:
Network
Attack Complexity:
Low
Privileges Required:
Low
User Interaction:
Required
Scope:
Changed

Timeline

  • Vulnerability published

  • Vulnerability Reserved

.