Unrated severityNVD Advisory· Published Feb 25, 2026· Updated Feb 27, 2026
OpenEMR has a Stored XSS in GAD-7 Form that Enables Session Hijacking and Privilege Escalation
CVE-2025-69231
Description
OpenEMR is a free and open source electronic health records and medical practice management application. Prior to version 8.0.0, a stored cross-site scripting vulnerability in the GAD-7 anxiety assessment form allows authenticated users with clinician privileges to inject malicious JavaScript that executes when other users view the form. This enables session hijacking, account takeover, and privilege escalation from clinician to administrator. Version 8.0.0 fixes the issue.
AI Insight
LLM-synthesized narrative grounded in this CVE's description and references.
Affected products
2Patches
Vulnerability mechanics
References
2- github.com/openemr/openemr/commit/5f20b756441fc9868f43410a9ef97536c38b2ba6mitrex_refsource_MISC
- github.com/openemr/openemr/security/advisories/GHSA-mf62-q2xc-hxm3mitrex_refsource_CONFIRM
News mentions
0No linked articles in our index yet.