CVE-2026-21443

MEDIUM

OpenEMR <8.0.0 - XSS

Title source: llm

Description

OpenEMR is a free and open source electronic health records and medical practice management application. Prior to version 8.0.0, the `xl()` translation function returns unescaped strings. While wrapper functions exist for escaping in different contexts (`xlt()` for HTML, `xla()` for attributes, `xlj()` for JavaScript), there are places in the codebase where `xl()` output is used directly without escaping. If an attacker could insert malicious content into the translation database, these unescaped outputs could lead to XSS. Version 8.0.0 fixes the issue.

References (2)

[Vendor Advisory] https://github.com/openemr/openemr/security/advisories/GHSA-3f9j-cqjj-7h46

[Patch] https://github.com/openemr/openemr/commit/b1e3fe8a9ed8bcaf17e0b73d7fad5434f9fe36da

View Patch ZIP pw:eip

Scores

CVSS v3 6.1

EPSS 0.0013

EPSS Percentile 31.7%

Attack Vector NETWORK

CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N

CISA SSVC

Vulnrichment

Exploitation none

Automatable no

Technical Impact partial

Details

CWE

CWE-116

Status published

Products (1)

open-emr/openemr < 8.0.0

Published Feb 25, 2026

Tracked Since Feb 25, 2026