VYPR
← All advisories
High severity7.7NVD Advisory· Published Jun 10, 2026

CVE-2026-46518

CVE-2026-46518

Description

Stored XSS in OpenEMR's prescription print feature allows patients to inject JavaScript into clinician sessions via demographic fields.

AI Insight

LLM-synthesized narrative grounded in this CVE's description and references.

Stored XSS in OpenEMR's prescription print feature allows patients to inject JavaScript into clinician sessions via demographic fields.

Vulnerability

A stored cross-site scripting vulnerability exists in OpenEMR versions prior to 8.0.0.1 within the prescription CSS/HTML multi-print feature. Patient demographic fields, specifically name and address, are rendered without proper output encoding in the multiprintcss_header() function. This allows a patient portal user to inject malicious HTML and JavaScript code.

Exploitation

An attacker, acting as a patient portal user, can exploit this vulnerability by writing attacker-controlled HTML directly into patient demographic data via the PUT api/patient/:num endpoint. This bypasses the intended audit review workflow. When a clinician views the prescription printout, the injected script executes within their authenticated browser session on the main OpenEMR interface, as the affected code resides in controllers/C_Prescription.class.php [1].

Impact

Successful exploitation allows an attacker to execute arbitrary JavaScript in a clinician's browser session. This can lead to the theft of sensitive data such as CSRF tokens and session information. Furthermore, the attacker can perform actions as the clinician, effectively crossing the patient-to-clinician trust boundary and potentially compromising patient data or system integrity [1].

Mitigation

This vulnerability has been patched in OpenEMR version 8.0.0.1. Users are advised to upgrade to this version or later to address the security flaw. No workarounds are mentioned in the available references [1].

References
  1. vuln06: Stored XSS in prescription CSS/HTML print view via patient demographics

AI Insight generated on Jun 10, 2026. Synthesized from this CVE's description and the cited reference URLs; citations are validated against the source bundle.

Affected products

2
  • Openemr/Openemrinferred2 versions
    <8.0.0.1+ 1 more
    • (no CPE)range: <8.0.0.1
    • (no CPE)range: <8.0.0.1

Patches

0

No patches discovered yet.

Vulnerability mechanics

Root cause

"Patient demographic fields are rendered without output encoding in the prescription print view, and patients can write attacker-controlled HTML directly into patient data via an API endpoint."

Attack vector

A patient portal user must first inject malicious HTML into their demographic fields (e.g., first name) by calling the `PUT api/patient/:num` endpoint directly, bypassing the audit review workflow. This injection is possible because the endpoint allows direct writes to `patient_data` and lacks input sanitization [ref_id=1]. When a clinician later views a prescription for this patient using the CSS/HTML multi-print feature, the injected script executes within the clinician's authenticated session [ref_id=1].

Affected code

The vulnerability stems from missing output encoding in `multiprintcss_header()` within `controllers/C_Prescription.class.php` at lines 576 and 584, where patient name and address are echoed without escaping [ref_id=1]. Additionally, the `PUT api/patient/:num` endpoint in `portal/patient/_app_config.php` allows direct modification of patient data without proper sanitization, bypassing audit workflows [ref_id=1].

What the fix does

The patch addresses the vulnerability by ensuring that patient demographic fields, specifically the patient's name and address, are properly HTML-escaped when rendered in the `multiprintcss_header()` function [ref_id=1]. This prevents injected HTML and JavaScript from being executed in the clinician's browser session. The advisory does not specify changes to the API endpoint's access controls or sanitization, but the output encoding fix mitigates the XSS impact.

Preconditions

  • configOpenEMR instance with the patient portal enabled.
  • authAttacker must have patient portal credentials.
  • inputPatient must have at least one existing prescription.
  • networkAttacker must craft a direct API call to bypass the portal UI's audit workflow.

Reproduction

Log in to the OpenEMR patient portal as any patient. Determine your patient_data.id by calling the portal's GET api/patientdata endpoint. From the same authenticated portal session, send a direct PUT request to api/patient/<your-id> with a JSON body containing an XSS payload in the fname field: `{"fname": "<img src=x onerror=alert(document.domain)>", "lname": "Smith"}`. As a clinician, log in to the main OpenEMR interface. Open the patient's chart, navigate to Prescriptions, and choose "CSS/HTML Print (multi)" for any prescription belonging to that patient. The injected script executes in the clinician's browser context [ref_id=1].

Generated on Jun 10, 2026. Inputs: CWE entries + fix-commit diffs from this CVE's patches. Citations validated against bundle.

References

1

News mentions

0

No linked articles in our index yet.