CVE-2026-46518 Overview
CVE-2026-46518 is a stored cross-site scripting (XSS) vulnerability in OpenEMR, an open source electronic health records and medical practice management application. The flaw affects versions prior to 8.0.0.1 and resides in the prescription CSS/HTML multi-print feature. A patient portal user can inject arbitrary JavaScript that executes in a clinician's authenticated browser session, crossing the patient-to-clinician trust boundary. The vulnerability is tracked under [CWE-79] and has been patched in OpenEMR version 8.0.0.1.
Critical Impact
An authenticated portal patient can execute JavaScript in a clinician's session, exposing CSRF tokens, session data, and enabling actions performed as the clinician.
Affected Products
- OpenEMR versions prior to 8.0.0.1
- OpenEMR patient portal component
- OpenEMR prescription multi-print feature (multiprintcss_header())
Discovery Timeline
- 2026-06-10 - CVE-2026-46518 published to NVD
- 2026-06-10 - Last updated in NVD database
Technical Details for CVE-2026-46518
Vulnerability Analysis
The vulnerability resides in the multiprintcss_header() function used by OpenEMR's prescription multi-print feature. Patient demographic fields, including name and address, are rendered into HTML output without proper output encoding. A patient portal user can inject HTML and JavaScript payloads into these demographic fields. When a clinician opens the multi-print prescription view, the malicious payload executes in the clinician's authenticated session on the main OpenEMR interface.
The attack crosses a trust boundary. OpenEMR normally requires audit review of patient-submitted changes to demographic data. The portal API endpoint bypasses that workflow and writes attacker-controlled values directly into the patient_data table.
Root Cause
Two defects combine to produce the vulnerability. First, multiprintcss_header() concatenates patient demographic strings into HTML without applying output encoding or HTML escaping. Second, the PUT api/patient/:num endpoint accepts portal patient submissions and stores them in patient_data without routing them through the audit review queue. The combination allows persistent script storage and reliable execution in a privileged session.
Attack Vector
An authenticated portal patient sends a PUT request to api/patient/:num with HTML payloads embedded in fields such as name or address. The injected content is stored directly in patient_data. When any clinician later renders the patient through the prescription multi-print interface, the stored payload executes in the clinician's browser. The attacker can read CSRF tokens, harvest session data, and issue authenticated requests as the clinician.
No verified public exploit code is available. See the GitHub Security Advisory for technical details.
Detection Methods for CVE-2026-46518
Indicators of Compromise
- Patient demographic fields in patient_data containing HTML tags such as <script>, <img onerror=>, or <svg onload=>.
- PUT requests to api/patient/:num originating from portal accounts containing HTML or JavaScript payloads in name or address parameters.
- Unexpected clinician-initiated actions immediately following access to the prescription multi-print view.
Detection Strategies
- Review web server access logs for portal API calls to api/patient/:num with request bodies containing angle brackets or script keywords.
- Audit the patient_data table for stored values containing HTML markup in fields that should hold plain text.
- Monitor browser console errors and unexpected outbound requests from clinician workstations rendering the multi-print interface.
Monitoring Recommendations
- Enable verbose application logging on the OpenEMR REST API and ingest logs into a centralized SIEM for query and alerting.
- Alert on portal patient API requests that contain encoded or raw HTML payloads in demographic fields.
- Correlate clinician session activity with prior portal patient updates to identify potential session abuse.
How to Mitigate CVE-2026-46518
Immediate Actions Required
- Upgrade OpenEMR to version 8.0.0.1 or later, which contains the official fix.
- Audit patient_data for stored HTML payloads in demographic fields and sanitize any malicious entries before clinicians view affected records.
- Restrict access to the prescription multi-print feature until the patch is deployed.
Patch Information
The OpenEMR project addressed CVE-2026-46518 in version 8.0.0.1. The fix applies output encoding to patient demographic fields rendered by multiprintcss_header() and routes portal API updates through the audit review workflow. Patch details are documented in the OpenEMR GitHub Security Advisory GHSA-4gh4-q39r-45wf.
Workarounds
- Disable the patient portal PUT api/patient/:num endpoint until upgrade is possible.
- Manually review and HTML-encode patient demographic data before clinicians access prescription printing features.
- Apply a web application firewall rule to block portal API requests containing HTML tags in demographic fields.
# Configuration example - WAF rule pattern to block HTML in portal demographic updates
# Example ModSecurity rule (adapt to your environment)
SecRule REQUEST_URI "@rx ^/apis/.*/api/patient/[0-9]+$" \
"id:1004651,phase:2,deny,status:403,\
chain,msg:'Blocking HTML in OpenEMR portal patient update'"
SecRule REQUEST_BODY "@rx <[a-zA-Z/!]" "t:none"
Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.
