PatchSiren cyber security CVE debrief
CVE-2026-46518 openemr CVE debrief
CVE-2026-46518 is a high-severity vulnerability in OpenEMR, a free and open-source electronic health records application. A stored cross-site scripting (XSS) vulnerability exists in the prescription CSS/HTML multi-print feature, allowing a patient portal user to execute arbitrary JavaScript in a clinician's browser session. This is possible because patient demographic fields (name, address) are rendered without output encoding in multiprintcss_header(), and portal patients can write attacker-controlled HTML directly into patient_data by calling the PUT api/patient/:num endpoint, bypassing the intended audit review workflow. The attacker can access CSRF tokens, session data, and perform actions as the clinician, crossing the patient-to-clinician trust boundary. The vulnerability has been patched in version 8.0.0.1.
- Vendor
- openemr
- Product
- Unknown
- CVSS
- HIGH 7.7
- CISA KEV
- Not listed in stored evidence
- Original CVE published
- 2026-06-10
- Original CVE updated
- 2026-06-11
- Advisory published
- 2026-06-10
- Advisory updated
- 2026-06-11
Who should care
Clinicians and administrators using OpenEMR versions prior to 8.0.0.1 should be aware of this vulnerability and take immediate action to patch their systems.
Technical summary
A stored cross-site scripting (XSS) vulnerability exists in the prescription CSS/HTML multi-print feature of OpenEMR. Patient demographic fields are rendered without output encoding, and portal patients can write attacker-controlled HTML directly into patient_data. This allows a patient portal user to execute arbitrary JavaScript in a clinician's browser session, potentially leading to unauthorized actions.
Defensive priority
High
Recommended defensive actions
- Upgrade to OpenEMR version 8.0.0.1 or later.
- Review and restrict access to the PUT api/patient/:num endpoint.
- Implement additional security measures to prevent cross-site scripting (XSS) attacks.
Evidence notes
CVE-2026-46518 has a CVSS score of 7.7 and is classified as HIGH severity. The vulnerability was published on 2026-06-10T00:16:53.960Z and modified on 2026-06-11T18:23:27.613Z.
Official resources
-
CVE-2026-46518 CVE record
CVE.org
-
CVE-2026-46518 NVD detail
NVD
-
Source item URL
nvd_modified
-
Mitigation or vendor reference
[email protected] - Exploit, Vendor Advisory
CVE-2026-46518 was published on 2026-06-10T00:16:53.960Z and modified on 2026-06-11T18:23:27.613Z.