CVE-2026-32119 in OpenEMR
Summary
by MITRE • 03/19/2026
OpenEMR is a free and open source electronic health records and medical practice management application. Prior to 8.0.0.2, DOM-based stored XSS in the jQuery SearchHighlight plugin (`library/js/SearchHighlight.js`) allows an authenticated user with encounter form write access to inject arbitrary JavaScript that executes in another clinician's browser session when they use the search/find feature on the Custom Report page. The plugin reverses server-side HTML entity encoding by reading decoded text from DOM text nodes, concatenating it into a raw HTML string, and passing it to jQuery's `$()` constructor for HTML parsing. Version 8.0.0.2 fixes the issue.
Once again VulDB remains the best source for vulnerability data.
Analysis
by VulDB Data Team • 03/24/2026
The vulnerability CVE-2026-32119 represents a critical DOM-based stored cross-site scripting flaw within the OpenEMR medical practice management application. This security weakness affects versions prior to 8.0.0.2 and specifically targets the jQuery SearchHighlight plugin located at library/js/SearchHighlight.js. The vulnerability occurs within the context of a healthcare environment where multiple clinicians share a common system, making it particularly dangerous as it can be exploited to compromise the security of other users who interact with the application. The flaw is classified as a DOM-based XSS vulnerability under CWE-79 which specifically addresses improper neutralization of input during web page generation in a web application.
The technical implementation of this vulnerability stems from a problematic approach to handling HTML entity encoding within the SearchHighlight plugin. The plugin performs a reverse operation on server-side HTML entity encoding by extracting decoded text directly from DOM text nodes and then concatenating this raw text into HTML strings. When this concatenated content is subsequently passed to jQuery's `$()` constructor for HTML parsing, it creates an environment where malicious JavaScript code can be executed without proper sanitization. This approach violates fundamental security principles for handling user input in web applications, as it fails to properly escape or validate content before incorporating it into dynamic HTML structures. The vulnerability is particularly insidious because it operates as a stored XSS attack, meaning that once malicious code is injected, it persists and executes automatically whenever affected users access the search functionality on the Custom Report page.
The operational impact of this vulnerability extends beyond simple code execution, as it enables an authenticated attacker with encounter form write access to potentially compromise the entire clinical workflow. When another clinician accesses the Custom Report page and uses the search function, their browser session becomes vulnerable to arbitrary JavaScript injection that could steal session cookies, redirect to malicious sites, or perform other malicious actions. This creates a significant risk for healthcare organizations where sensitive patient data is constantly being accessed and manipulated. The vulnerability's exploitation requires minimal privileges since only encounter form write access is needed, making it particularly concerning for environments where multiple healthcare providers share the same system. The attack vector is particularly dangerous because it leverages legitimate application functionality rather than attempting to bypass authentication or exploit other system weaknesses.
The remediation for this vulnerability was implemented in version 8.0.0.2 of OpenEMR, which addressed the core issue in the SearchHighlight plugin by properly handling HTML entity encoding and ensuring that user-provided content is appropriately sanitized before being incorporated into dynamic HTML structures. Organizations should prioritize upgrading to this patched version immediately to protect their healthcare environments from potential exploitation. The fix likely involved implementing proper input validation and output encoding mechanisms that prevent the reverse HTML entity decoding process that originally enabled the attack. Security teams should also implement monitoring for unusual activity patterns in encounter form modifications and conduct regular security assessments of web application components to identify similar vulnerabilities in other healthcare systems. This vulnerability demonstrates the critical importance of proper input sanitization in web applications and aligns with ATT&CK technique T1566 which covers social engineering attacks that may involve web-based exploits.