CVE-2026-32119: OpenEMR DOM-Based Stored XSS Vulnerability

CVE-2026-32119 Overview

CVE-2026-32119 is a DOM-based stored Cross-Site Scripting (XSS) vulnerability affecting OpenEMR, a widely-used free and open source electronic health records (EHR) and medical practice management application. The vulnerability exists in the jQuery SearchHighlight plugin (library/js/SearchHighlight.js) and allows authenticated users with encounter form write access to inject arbitrary JavaScript code that executes in another clinician's browser session.

Critical Impact

Malicious JavaScript injected by an attacker can execute in the context of another clinician's authenticated session when they use the search/find feature on the Custom Report page, potentially compromising patient data and clinical workflows.

Affected Products

• OpenEMR versions prior to 8.0.0.2
• jQuery SearchHighlight plugin (library/js/SearchHighlight.js)
• Custom Report page search functionality

Discovery Timeline

• 2026-03-19 - CVE CVE-2026-32119 published to NVD
• 2026-03-19 - Last updated in NVD database

Technical Details for CVE-2026-32119

Vulnerability Analysis

This DOM-based stored XSS vulnerability arises from unsafe handling of user-supplied data within the jQuery SearchHighlight plugin. The vulnerability is particularly concerning in healthcare environments where clinicians routinely access patient records and use search functionality to navigate complex medical documentation.

The attack requires an authenticated user with encounter form write access, which represents a significant portion of clinical staff in typical healthcare deployments. The changed scope (S:C in CVSS vector) indicates that the vulnerability can affect resources beyond its security scope, meaning an attacker can impact other users' sessions and potentially access their data.

Root Cause

The root cause lies in the SearchHighlight plugin's implementation of text highlighting. The plugin reverses server-side HTML entity encoding by reading decoded text from DOM text nodes, concatenating it into a raw HTML string, and passing it to jQuery's $() constructor for HTML parsing. This pattern allows encoded malicious payloads stored in the database to be decoded and executed as JavaScript when rendered in the victim's browser.

When jQuery's $() constructor receives a string containing HTML, it parses and executes any embedded scripts, effectively bypassing server-side sanitization efforts.

Attack Vector

The attack vector is network-based and requires user interaction. An authenticated attacker with encounter form write access injects malicious JavaScript payload into form data. When another clinician subsequently uses the search/find feature on the Custom Report page, the SearchHighlight plugin processes the stored data, reverses the HTML entity encoding, and passes the malicious content to jQuery's constructor, triggering script execution in the victim's authenticated session.

 /**
  * SearchHighlight plugin for jQuery
- * 
+ *
  * Thanks to Scott Yang <http://scott.yang.id.au/>
  * for the original idea and some code
- *    
- * @author Renato Formato <renatoformato@virgilio.it> 
- *  
- * @version 0.33
+ *
+ * @author Renato Formato <renatoformato@virgilio.it>
+ * @author Michael A. Smith <michael@opencoreemr.com>
+ * @copyright Copyright (c) 2026 OpenCoreEMR Inc <https://opencoreemr.com/>
+ *
+ * @version 0.34
  *
  *  Options
  *  - exact (string, default:"exact") 

Source: GitHub Commit Update

Detection Methods for CVE-2026-32119

Indicators of Compromise

• Unusual JavaScript or HTML tags present in encounter form data fields
• Encoded script content such as <script> or event handlers like onerror, onload in database records
• Unexpected network requests originating from clinician browser sessions to external domains
• Reports from users about unusual browser behavior when using the Custom Report search feature

Detection Strategies

• Implement Content Security Policy (CSP) headers to detect and block inline script execution
• Monitor database fields associated with encounter forms for patterns indicative of XSS payloads
• Deploy web application firewall (WAF) rules to detect XSS injection attempts in form submissions
• Review application logs for suspicious data patterns in encounter-related API requests

Monitoring Recommendations

• Enable browser console logging and monitor for JavaScript errors related to blocked scripts
• Audit user activity on encounter forms, particularly from accounts with write access
• Implement real-time alerting for CSP violation reports
• Regularly scan stored data for known XSS payload patterns

How to Mitigate CVE-2026-32119

Immediate Actions Required

• Upgrade OpenEMR to version 8.0.0.2 or later immediately
• Review encounter form data for any existing malicious payloads
• Implement Content Security Policy headers to mitigate exploitation risk
• Audit user accounts with encounter form write access and verify their legitimacy

Patch Information

OpenEMR version 8.0.0.2 addresses this vulnerability by updating the SearchHighlight plugin to version 0.34. The fix modifies how the plugin handles text processing to prevent the unsafe conversion of decoded text to raw HTML. For detailed patch information, refer to the GitHub Commit Update and the GitHub Security Advisory GHSA-q283.

Workarounds

• Deploy a strict Content Security Policy that blocks inline script execution as a temporary mitigation
• Restrict encounter form write access to only essential personnel until patching is complete
• Consider temporarily disabling the search/highlight functionality on the Custom Report page
• Implement additional input validation at the application layer for encounter form submissions

# Example CSP header configuration for Apache
# Add to httpd.conf or .htaccess
Header set Content-Security-Policy "default-src 'self'; script-src 'self'; object-src 'none'; style-src 'self' 'unsafe-inline';"