216.73.217.64

CVE-2026-21443

· Published 25/02/2026 02:16 · Modified 26/02/2026 15:34

Labels: CVE-2026-21443 2026-02-25CVE-2026-21443CWE-116[email protected]

Essential information

Published
25/02/2026 02:16
Modified
26/02/2026 15:34
Author
Creator
CVSS
1.2 LOW (v3) 1.2 LOW (v4.0)
CISA KEV
No
CWE
CVSS vector

CVSS metrics

Description

OpenEMR is a free and open source electronic health records and medical practice management application. Prior to version 8.0.0, the `xl()` translation function returns unescaped strings. While wrapper functions exist for escaping in different contexts (`xlt()` for HTML, `xla()` for attributes, `xlj()` for JavaScript), there are places in the codebase where `xl()` output is used directly without escaping. If an attacker could insert malicious content into the translation database, these unescaped outputs could lead to XSS. Version 8.0.0 fixes the issue.

NVD status

Status
Analyzed — CVE has been recently published to the CVE List and has been received by the NVD.
Source
[email protected]
NVD
View on NVD

Affected products (CPE)

ProductCPE
open-emr / openemr cpe:2.3:a:open-emr:openemr:*:*:*:*:*:*:*:*

References