HarborGuardharborguardDatabase
Back to search
HIGHCVE-2026-46518Published Modified CNA GitHub_M

CVE-2026-46518: OpenEMR: Stored XSS in prescription CSS/HTML print view via patient demographics

OpenEMR is a free and open source electronic health records and medical practice management application. Prior to version 8.0.0.1, a stored cross-site scripting vulnerability in the prescription CSS/HTML multi-print feature allows a patient portal user to execute arbitrary JavaScript in a clinician's browser session. Patient demographic fields (name, address) are rendered without output encoding in multiprintcss_header(), and portal patients can write attacker-controlled HTML directly into patient_data by calling the PUT api/patient/:num endpoint, which bypasses the intended audit review workflow. Because the XSS fires in the clinician's authenticated session on the main OpenEMR interface, the attacker can access CSRF tokens, session data, and perform actions as the clinician — crossing the patient-to-clinician trust boundary. This issue has been patched in version 8.0.0.1.

Metrics

CVSS v3.1
7.7
Severity
HIGH
Fixed in
Affected Products
1

Get notified

Email me when this CVE is updated: new fix versions, severity changes, or any record change.

HarborGuard Analysis

Synopsis

Stored cross-site scripting (XSS) in OpenEMR affects the prescription CSS/HTML multi-print feature, reachable over the network by a low-privilege patient portal account. A patient-portal user can write attacker-controlled HTML into their own demographic fields via the PUT api/patient/:num endpoint, bypassing audit review; when a clinician opens the print view, the injected script executes inside the clinician's authenticated browser session. Successful exploitation lets the attacker read CSRF tokens and session data, and perform actions as the clinician, crossing the patient-to-clinician trust boundary. A patched-image rebuild at version 8.0.0.1 is available on HarborGuard for environments running an affected version.

HarborGuard Coverage

Detection

Detection of CVE-2026-46518 is available across every HarborGuard environment; the CVE is ingested from upstream advisory feeds within minutes of publication and matched against customer images, including custom-built images that bundle OpenEMR. Any image whose OpenEMR installation falls below version 8.0.0.1 is flagged automatically.

Available
Triage

HarborGuard is capable of scoring this CVE at CVSS 7.7 HIGH and weighting that score against each customer environment's compliance policy to determine urgency. Findings are routed to the appropriate team inbox within each customer organization based on configured ownership rules.

Available
Patch

Because a fix exists at version 8.0.0.1, a patched-image rebuild at that version becomes available through HarborGuard once the upstream release is confirmed. For customers who opt into auto-remediation, HarborGuard performs the rebuild, runs a regression test suite, and opens a pull request against affected workloads.

Pending upstream

Exploit Conditions

  • Network reachabilityRequired

    The attacker reaches the OpenEMR patient portal API over the network; the service must be exposed to the attacker's network path.

  • AuthenticationRequired

    A low-privilege patient portal account is sufficient; no administrative credentials are needed, but the attacker must be a registered portal user.

  • Victim interactionRequired

    A clinician must open the prescription CSS/HTML print view for the injected script to execute; the attacker depends on that user action to trigger the XSS payload.

  • Attack complexityDetail

    Exploitation involves high complexity because the attacker must time the injected payload to survive any sanitization pass and rely on a clinician navigating to the affected print view, introducing environmental dependencies.

Blast Radius

  • Reads the clinician's active session tokens and CSRF tokens directly from the browser session.
  • Performs authenticated actions inside OpenEMR as the clinician, including accessing or modifying patient health records.
  • Crosses the patient-to-clinician trust boundary, allowing a low-privilege portal user to operate at clinician privilege level.

How HarborGuard Handles This

Available on HarborGuard: detection for this CVE is matched against customer images within minutes of publication. A patched-image rebuild at OpenEMR 8.0.0.1 is available for any environment where the affected version is detected. For customers who opt into auto-remediation, HarborGuard rebuilds the image, runs a regression test, and opens a pull request against affected workloads; for high-severity CVEs, the median time from CVE publication to merged patch PR in environments with auto-remediation enabled is around 90 minutes. Where auto-remediation is not enabled or compliance policy requires manual review, the finding is surfaced in the team inbox for prioritized human action. Given the patient-to-clinician privilege escalation path, teams that cannot immediately patch should consider restricting network access to the patient portal API endpoint and reviewing audit logs for unexpected writes to patient demographic fields via the PUT api/patient/:num route.

See how HarborGuard automates this
Affected packages
  • openemr / openemr
    < 8.0.0.1
CVSS Vector
CVSS:3.1/AV:N/AC:H/PR:L/UI:R/S:C/C:H/I:H/A:N
References