{"resultsPerPage":1,"startIndex":0,"totalResults":1,"format":"NVD_CVE","version":"2.0","timestamp":"2026-04-21T04:57:38.515","vulnerabilities":[{"cve":{"id":"CVE-2026-32118","sourceIdentifier":"security-advisories@github.com","published":"2026-03-11T21:16:17.630","lastModified":"2026-03-13T15:49:56.083","vulnStatus":"Analyzed","cveTags":[],"descriptions":[{"lang":"en","value":"OpenEMR is a free and open source electronic health records and medical practice management application. Prior to 8.0.0.1, stored cross-site scripting (XSS) in the Graphical Pain Map (\"clickmap\") form allows any authenticated clinician to inject arbitrary JavaScript that executes in the browser of every subsequent user who views the affected encounter form. Because session cookies are not marked HttpOnly, this enables full session hijacking of other users, including administrators. This vulnerability is fixed in 8.0.0.1."},{"lang":"es","value":"OpenEMR es una aplicación de gestión de registros médicos electrónicos y práctica médica de código abierto y gratuita. Antes de 8.0.0.1, el cross-site scripting (XSS) almacenado en el formulario del Mapa Gráfico del Dolor ('clickmap') permite a cualquier clínico autenticado inyectar JavaScript arbitrario que se ejecuta en el navegador de cada usuario posterior que visualiza el formulario de encuentro afectado. Debido a que las cookies de sesión no están marcadas como HttpOnly, esto permite el secuestro completo de la sesión de otros usuarios, incluidos los administradores. Esta vulnerabilidad se corrige en 8.0.0.1."}],"metrics":{"cvssMetricV31":[{"source":"security-advisories@github.com","type":"Secondary","cvssData":{"version":"3.1","vectorString":"CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N","baseScore":5.4,"baseSeverity":"MEDIUM","attackVector":"NETWORK","attackComplexity":"LOW","privilegesRequired":"LOW","userInteraction":"REQUIRED","scope":"CHANGED","confidentialityImpact":"LOW","integrityImpact":"LOW","availabilityImpact":"NONE"},"exploitabilityScore":2.3,"impactScore":2.7},{"source":"nvd@nist.gov","type":"Primary","cvssData":{"version":"3.1","vectorString":"CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:H/I:H/A:H","baseScore":9.0,"baseSeverity":"CRITICAL","attackVector":"NETWORK","attackComplexity":"LOW","privilegesRequired":"LOW","userInteraction":"REQUIRED","scope":"CHANGED","confidentialityImpact":"HIGH","integrityImpact":"HIGH","availabilityImpact":"HIGH"},"exploitabilityScore":2.3,"impactScore":6.0}]},"weaknesses":[{"source":"security-advisories@github.com","type":"Primary","description":[{"lang":"en","value":"CWE-79"}]}],"configurations":[{"nodes":[{"operator":"OR","negate":false,"cpeMatch":[{"vulnerable":true,"criteria":"cpe:2.3:a:open-emr:openemr:*:*:*:*:*:*:*:*","versionEndExcluding":"8.0.0.1","matchCriteriaId":"136D07EE-9108-423B-AD86-E9E901940C17"}]}]}],"references":[{"url":"https://github.com/openemr/openemr/security/advisories/GHSA-55qj-x8wh-m4rm","source":"security-advisories@github.com","tags":["Exploit","Vendor Advisory"]}]}}]}