Vulnerability Description
OpenEMR is a free and open source electronic health records and medical practice management application. A stored cross-site scripting (XSS) vulnerability in versions prior to 7.0.3.4 allows any authenticated user with patient creation privileges to inject arbitrary JavaScript code into the system by entering malicious payloads in the First and Last Name fields during patient registration. This code is later executed when viewing the patient's encounter under Orders → Procedure Orders. Version 7.0.3.4 contains a patch for the issue.
CVSS Score
HIGH
Affected Products
| Vendor | Product | Versions |
|---|---|---|
| Open-Emr | Openemr | < 7.0.3.4 |
Related Weaknesses (CWE)
References
- https://github.com/openemr/openemr/security/advisories/GHSA-3c27-2m7h-f7rxExploitVendor Advisory
- https://github.com/openemr/openemr/security/advisories/GHSA-3c27-2m7h-f7rxExploitVendor Advisory
FAQ
What is CVE-2025-32794?
CVE-2025-32794 is a vulnerability with a CVSS score of 7.6 (HIGH). OpenEMR is a free and open source electronic health records and medical practice management application. A stored cross-site scripting (XSS) vulnerability in versions prior to 7.0.3.4 allows any authe...
How severe is CVE-2025-32794?
CVE-2025-32794 has been rated HIGH with a CVSS base score of 7.6/10. Review the CVSS metrics above for detailed severity breakdown.
Is there a patch for CVE-2025-32794?
Check the references section above for vendor advisories and patch information. Affected products include: Open-Emr Openemr.