Stored Cross-Site Scripting Vulnerability in OpenEMR by OpenEMR
CVE-2026-46518

7.7HIGH

Key Information:

Vendor

Openemr

Status
Vendor
CVE Published:
9 June 2026

What is CVE-2026-46518?

A stored cross-site scripting (XSS) vulnerability exists in OpenEMR that affects its CSS/HTML multi-print feature. This issue enables patient portal users to inject arbitrary JavaScript into clinician browser sessions. The vulnerability arises because patient demographic information is rendered without proper output encoding, allowing attackers to manipulate data via the PUT api/patient/:num endpoint, thus circumventing the intended audit review processes. As a result, attackers can access sensitive clinician session data and CSRF tokens, enabling unauthorized actions within the clinician's authenticated session. The vulnerability has been addressed in OpenEMR version 8.0.0.1.

Affected Version(s)

openemr < 8.0.0.1

References

CVSS V3.1

Score:
7.7
Severity:
HIGH
Confidentiality:
High
Integrity:
High
Availability:
High
Attack Vector:
Network
Attack Complexity:
High
Privileges Required:
Low
User Interaction:
Required
Scope:
Changed

Timeline

  • Vulnerability published

  • Vulnerability Reserved

.