{"dataType": "CVE_RECORD", "dataVersion": "5.2", "cveMetadata": {"cveId": "CVE-2026-32119", "assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "state": "PUBLISHED", "assignerShortName": "GitHub_M", "dateReserved": "2026-03-10T22:19:36.544Z", "datePublished": "2026-03-19T19:41:47.881Z", "dateUpdated": "2026-03-19T20:39:26.670Z"}, "containers": {"cna": {"title": "OpenEMR has Stored DOM XSS via SearchHighlight text-node reconstruction on Custom Report page", "problemTypes": [{"descriptions": [{"cweId": "CWE-79", "lang": "en", "description": "CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')", "type": "CWE"}]}], "metrics": [{"cvssV3_1": {"attackComplexity": "HIGH", "attackVector": "NETWORK", "availabilityImpact": "NONE", "baseScore": 4.4, "baseSeverity": "MEDIUM", "confidentialityImpact": "LOW", "integrityImpact": "LOW", "privilegesRequired": "LOW", "scope": "CHANGED", "userInteraction": "REQUIRED", "vectorString": "CVSS:3.1/AV:N/AC:H/PR:L/UI:R/S:C/C:L/I:L/A:N", "version": "3.1"}}], "references": [{"name": "https://github.com/openemr/openemr/security/advisories/GHSA-q283-5j7f-r6hp", "tags": ["x_refsource_CONFIRM"], "url": "https://github.com/openemr/openemr/security/advisories/GHSA-q283-5j7f-r6hp"}, {"name": "https://github.com/openemr/openemr/commit/70a41122c6d75ebcd219ba2a2535e93a6c188151", "tags": ["x_refsource_MISC"], "url": "https://github.com/openemr/openemr/commit/70a41122c6d75ebcd219ba2a2535e93a6c188151"}], "affected": [{"vendor": "openemr", "product": "openemr", "versions": [{"version": "< 8.0.0.2", "status": "affected"}]}], "providerMetadata": {"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "shortName": "GitHub_M", "dateUpdated": "2026-03-19T19:41:47.881Z"}, "descriptions": [{"lang": "en", "value": "OpenEMR is a free and open source electronic health records and medical practice management application. Prior to 8.0.0.2, DOM-based stored XSS in the jQuery SearchHighlight plugin (`library/js/SearchHighlight.js`) allows an authenticated user with encounter form write access to inject arbitrary JavaScript that executes in another clinician's browser session when they use the search/find feature on the Custom Report page. The plugin reverses server-side HTML entity encoding by reading decoded text from DOM text nodes, concatenating it into a raw HTML string, and passing it to jQuery's `$()` constructor for HTML parsing. Version 8.0.0.2 fixes the issue."}], "source": {"advisory": "GHSA-q283-5j7f-r6hp", "discovery": "UNKNOWN"}}, "adp": [{"references": [{"url": "https://github.com/openemr/openemr/security/advisories/GHSA-q283-5j7f-r6hp", "tags": ["exploit"]}], "metrics": [{"other": {"type": "ssvc", "content": {"timestamp": "2026-03-19T20:39:22.528820Z", "id": "CVE-2026-32119", "options": [{"Exploitation": "poc"}, {"Automatable": "no"}, {"Technical Impact": "partial"}], "role": "CISA Coordinator", "version": "2.0.3"}}}], "title": "CISA ADP Vulnrichment", "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2026-03-19T20:39:26.670Z"}}]}}

{"dataType": "CVE_RECORD", "containers": {"adp": [{"title": "CISA ADP Vulnrichment", "metrics": [{"other": {"type": "ssvc", "content": {"id": "CVE-2026-32119", "role": "CISA Coordinator", "options": [{"Exploitation": "poc"}, {"Automatable": "no"}, {"Technical Impact": "partial"}], "version": "2.0.3", "timestamp": "2026-03-19T20:39:22.528820Z"}}}], "references": [{"url": "https://github.com/openemr/openemr/security/advisories/GHSA-q283-5j7f-r6hp", "tags": ["exploit"]}], "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2026-03-19T20:39:17.940Z"}}], "cna": {"title": "OpenEMR has Stored DOM XSS via SearchHighlight text-node reconstruction on Custom Report page", "source": {"advisory": "GHSA-q283-5j7f-r6hp", "discovery": "UNKNOWN"}, "metrics": [{"cvssV3_1": {"scope": "CHANGED", "version": "3.1", "baseScore": 4.4, "attackVector": "NETWORK", "baseSeverity": "MEDIUM", "vectorString": "CVSS:3.1/AV:N/AC:H/PR:L/UI:R/S:C/C:L/I:L/A:N", "integrityImpact": "LOW", "userInteraction": "REQUIRED", "attackComplexity": "HIGH", "availabilityImpact": "NONE", "privilegesRequired": "LOW", "confidentialityImpact": "LOW"}}], "affected": [{"vendor": "openemr", "product": "openemr", "versions": [{"status": "affected", "version": "< 8.0.0.2"}]}], "references": [{"url": "https://github.com/openemr/openemr/security/advisories/GHSA-q283-5j7f-r6hp", "name": "https://github.com/openemr/openemr/security/advisories/GHSA-q283-5j7f-r6hp", "tags": ["x_refsource_CONFIRM"]}, {"url": "https://github.com/openemr/openemr/commit/70a41122c6d75ebcd219ba2a2535e93a6c188151", "name": "https://github.com/openemr/openemr/commit/70a41122c6d75ebcd219ba2a2535e93a6c188151", "tags": ["x_refsource_MISC"]}], "descriptions": [{"lang": "en", "value": "OpenEMR is a free and open source electronic health records and medical practice management application. Prior to 8.0.0.2, DOM-based stored XSS in the jQuery SearchHighlight plugin (`library/js/SearchHighlight.js`) allows an authenticated user with encounter form write access to inject arbitrary JavaScript that executes in another clinician's browser session when they use the search/find feature on the Custom Report page. The plugin reverses server-side HTML entity encoding by reading decoded text from DOM text nodes, concatenating it into a raw HTML string, and passing it to jQuery's `$()` constructor for HTML parsing. Version 8.0.0.2 fixes the issue."}], "problemTypes": [{"descriptions": [{"lang": "en", "type": "CWE", "cweId": "CWE-79", "description": "CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')"}]}], "providerMetadata": {"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "shortName": "GitHub_M", "dateUpdated": "2026-03-19T19:41:47.881Z"}}}, "cveMetadata": {"cveId": "CVE-2026-32119", "state": "PUBLISHED", "dateUpdated": "2026-03-19T20:39:26.670Z", "dateReserved": "2026-03-10T22:19:36.544Z", "assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "datePublished": "2026-03-19T19:41:47.881Z", "assignerShortName": "GitHub_M"}, "dataVersion": "5.2"}

{"cveTags": [], "descriptions": [{"lang": "en", "value": "OpenEMR is a free and open source electronic health records and medical practice management application. Prior to 8.0.0.2, DOM-based stored XSS in the jQuery SearchHighlight plugin (`library/js/SearchHighlight.js`) allows an authenticated user with encounter form write access to inject arbitrary JavaScript that executes in another clinician's browser session when they use the search/find feature on the Custom Report page. The plugin reverses server-side HTML entity encoding by reading decoded text from DOM text nodes, concatenating it into a raw HTML string, and passing it to jQuery's `$()` constructor for HTML parsing. Version 8.0.0.2 fixes the issue."}], "id": "CVE-2026-32119", "lastModified": "2026-03-20T13:39:46.493", "metrics": {"cvssMetricV31": [{"cvssData": {"attackComplexity": "HIGH", "attackVector": "NETWORK", "availabilityImpact": "NONE", "baseScore": 4.4, "baseSeverity": "MEDIUM", "confidentialityImpact": "LOW", "integrityImpact": "LOW", "privilegesRequired": "LOW", "scope": "CHANGED", "userInteraction": "REQUIRED", "vectorString": "CVSS:3.1/AV:N/AC:H/PR:L/UI:R/S:C/C:L/I:L/A:N", "version": "3.1"}, "exploitabilityScore": 1.3, "impactScore": 2.7, "source": "security-advisories@github.com", "type": "Secondary"}]}, "published": "2026-03-19T20:16:13.900", "references": [{"source": "security-advisories@github.com", "url": "https://github.com/openemr/openemr/commit/70a41122c6d75ebcd219ba2a2535e93a6c188151"}, {"source": "security-advisories@github.com", "url": "https://github.com/openemr/openemr/security/advisories/GHSA-q283-5j7f-r6hp"}, {"source": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "url": "https://github.com/openemr/openemr/security/advisories/GHSA-q283-5j7f-r6hp"}], "sourceIdentifier": "security-advisories@github.com", "vulnStatus": "Awaiting Analysis", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-79"}], "source": "security-advisories@github.com", "type": "Secondary"}]}

{}

{"affected": [{"configurations": [{"platform": null, "status": "affected", "versions": {"scheme": "generic", "value": "[0,8.0.0.2)"}}], "enrichment": {"confidence": 100.0, "confidence_source": "matching", "scores": [{"score": 100.0, "source": "matching"}]}, "original": {"product": "openemr", "source": "cna", "vendor": "openemr"}, "product": "openemr", "vendor": "openemr"}], "analysis": {"en": {"generated_at": "2026-03-19T21:51:28.612375+00:00", "value": {"mitigation_remediation": ["Upgrade to OpenEMR 8.0.0.2 or later"], "summary": {"action": "Apply Patch", "impact": "Stored DOM XSS"}, "threat_synthesis": {"affected_systems": "Affected product: OpenEMR (openemr:openemr). All releases before version 8.0.0.2 are vulnerable. The issue was fixed in OpenEMR 8.0.0.2 and later releases.", "description_and_impact": "The vulnerability is a stored DOM\u2011based cross\u2011site scripting flaw in OpenEMR\u2019s jQuery SearchHighlight plugin (library/js/SearchHighlight.js). An authenticated user who has write access to encounter forms can inject arbitrary JavaScript into a text node. When another clinician uses the search/find feature on the Custom Report page, the plugin reconstructs the stored content, passes it to jQuery\u2019s $() constructor for parsing, and the injected script is executed in the victim\u2019s browser. This weakness corresponds to CWE\u201179.", "risk_and_exploitability": "The CVSS base score of 4.4 indicates medium impact. No EPSS data is available and the vulnerability is not listed in CISA\u2019s KEV catalog. Exploitation requires an authenticated user with encounter form write permissions, limiting initial access. Once a script is injected, it runs in the browser session of another clinician who uses the search feature in the Custom Report page, allowing arbitrary JavaScript execution. While the description does not detail specific outcomes such as session hijacking, it is inferred that such malicious actions could be possible based on the ability to execute code in the victim\u2019s browser."}}}}, "created": "2026-03-20T08:56:26.360744+00:00", "updated": "2026-03-20T11:06:36.430044+00:00", "vendors": ["openemr", "openemr$PRODUCT$openemr"]}