CVE-2025-32794: 
OpenEMR vulnerability analysis and mitigation

OpenEMR, a free and open source electronic health records and medical practice management application, was found to contain a stored cross-site scripting (XSS) vulnerability (CVE-2025-32794) in versions prior to 7.0.3.4. The vulnerability was discovered and disclosed on May 23, 2025. The vulnerability allows any authenticated user with patient creation privileges to inject arbitrary JavaScript code into the system by entering malicious payloads in the First and Last Name fields during patient registration, which is later executed when viewing the patient's encounter under Orders → Procedure Orders (GitHub Advisory, NVD).

The vulnerability exists in the file 'c:/xampp/htdocs/openemr/interface/forms/procedure_order/common.php', where an unsanitized patient name is assigned to the $title array on line 1050 and then directly rendered to the page without proper escaping on line 1057. The vulnerability has been assigned a CVSS v3.1 base score of 7.6 (HIGH) with the vector string CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:H/I:L/A:N, indicating a network-based attack vector with low attack complexity requiring low privileges and user interaction (GitHub Advisory).

The vulnerability allows attackers to hijack sessions, perform unauthorized actions, or exfiltrate sensitive data such as patient records or credentials. Since the malicious script is stored and triggered automatically when viewing the patient's encounter, this poses a significant threat to application integrity and user trust. The impact affects all users who view the affected patient record, including administrators, clinicians, and other staff (GitHub Advisory, Wiz).

The vulnerability has been patched in OpenEMR version 7.0.3.4. Users are advised to upgrade to this version or later to mitigate the security risk (GitHub Advisory, NVD).