CVE-2025-31121: 
OpenEMR vulnerability analysis and mitigation

OpenEMR, a free and open source electronic health records and medical practice management application, was found to contain a cross-site scripting (XSS) vulnerability in its Patient Image feature prior to version 7.0.3.1. The vulnerability was discovered and disclosed on April 1, 2025, affecting all versions before 7.0.3.1 (NVD, GitHub Advisory).

The vulnerability allows cross-site scripting attacks through the EXIF title in an image. The issue has been assigned CVE-2025-31121 and has received a CVSS v4.0 base score of 7.0 (High). The CVSS vector string is CVSS:4.0/AV:N/AC:H/AT:N/PR:H/UI:A/VC:H/VI:H/VA:N/SC:N/SI:N/SA:N, indicating that while the vulnerability requires high privileges and active user interaction, it can potentially lead to high impacts on both confidentiality and integrity (GitHub Advisory).

When successfully exploited, the vulnerability can lead to high impacts on both confidentiality and integrity of the system. The cross-site scripting vulnerability could potentially allow attackers to steal sensitive information, including user credentials, and perform unauthorized actions in the context of the affected user's session (GitHub Advisory).

The vulnerability has been fixed in OpenEMR version 7.0.3.1. Users are advised to upgrade to this version or later to mitigate the risk. No alternative workarounds have been publicly documented (NVD).