Stored Cross-Site Scripting Vulnerability in OpenEMR by OpenEMR
CVE-2026-46518
7.7HIGH
What is CVE-2026-46518?
A stored cross-site scripting (XSS) vulnerability exists in OpenEMR that affects its CSS/HTML multi-print feature. This issue enables patient portal users to inject arbitrary JavaScript into clinician browser sessions. The vulnerability arises because patient demographic information is rendered without proper output encoding, allowing attackers to manipulate data via the PUT api/patient/:num endpoint, thus circumventing the intended audit review processes. As a result, attackers can access sensitive clinician session data and CSRF tokens, enabling unauthorized actions within the clinician's authenticated session. The vulnerability has been addressed in OpenEMR version 8.0.0.1.
Affected Version(s)
openemr < 8.0.0.1
