CVE-2026-32118 | OpenEMR has Stored XSS in Graphical Pain Map legend via unescaped annotation text
Exp
OpenEMR is a free and open source electronic health records and medical practice management application. Prior to 8.0.0.1, stored cross-site scripting (XSS) in the Graphical Pain Map ("clickmap") form allows any authenticated clinician to inject arbitrary JavaScript that executes in the browser of every subsequent user who views the affected encounter form. Because session cookies are not marked HttpOnly, this enables full session hijacking of other users, including administrators. This vulnerability is fixed in 8.0.0.1.
Conclusion & alert: CVE-2026-32118 is rated Exploit Available (50/100): CVSS Medium severity, with low exploitation likelihood (EPSS 0.28%).Core evidence: 1 public exploit reference(s) are indexed (Exploit-DB).Mandatory action: Public exploits are available—assess exposure, apply mitigations, and prioritize patching.
Risk is dynamic; we continuously reassess and refresh what is shown on this page as upstream context changes.
Public exploit references (Exploit-DB) for CVE-2026-32118
Exploit prediction scoring system (EPSS) score for CVE-2026-32118
EPSS lead: Daily EPSS estimates relative likelihood of exploitation; percentile ranks this CVE among scored vulnerabilities (higher = more severe relative rank).