Loading
OpenEMR is a free and open source electronic health records and medical practice management application. Prior to 8.0.0.2, DOM-based stored XSS in the jQuery SearchHighlight plugin (`library/js/SearchHighlight.js`) allows an authenticated user with encounter form write access to inject arbitrary JavaScript that executes in another clinician's browser session when they use the search/find feature on the Custom Report page. The plugin reverses server-side HTML entity encoding by reading decoded text from DOM text nodes, concatenating it into a raw HTML string, and passing it to jQuery's `$()` constructor for HTML parsing. Version 8.0.0.2 fixes the issue.
Cite this page
CVE-2026-32119. CVEDatabase.com. Retrieved 1 May 2026. https://cvedatabase.com/cve/CVE-2026-32119
Use CWE-79, Open-Emr vendor hub and Openemr product page to widen CVE-2026-32119 into its surrounding weakness, vendor, and product context.
Compare it with CVE-2026-33917, CVE-2026-34055 and CVE-2026-34056 for nearby disclosures in the same product family.