CVE-2025-69231 HIGH

CVE-2025-69231: OpenEMR has a Stored XSS in GAD-7 Form that Enables Session Hijacking and Privilege Escalation

Vendor Openemr
Product openemr
Weakness CWE-79 · XSS
Published February 25, 2026
Last update February 27, 2026
View on NVD All CVEs

CVSS base score

8.7/10
Attack vector Network
Attack complexity Low
Privileges required Low
User interaction Required
Confidentiality High
Integrity High

CVSS vector

CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:H/I:H/A:N

What the vulnerability does

01Description

OpenEMR is a free and open source electronic health records and medical practice management application. Prior to version 8.0.0, a stored cross-site scripting vulnerability in the GAD-7 anxiety assessment form allows authenticated users with clinician privileges to inject malicious JavaScript that executes when other users view the form. This enables session hijacking, account takeover, and privilege escalation from clinician to administrator. Version 8.0.0 fixes the issue.

Key dates

02Disclosure timeline

February 25, 2026 CVE published
February 27, 2026 Record updated

Related vulnerabilities

04Related CVE

CVE-2022-23988 WS Form < 1.8.176 - Unauthenticated Stored Cross-Site Scripting CVE-2025-34263 Advantech WISE-DeviceOn Server < 5.4 Authenticated Stored XSS via plugin-config/dashboards/menus CVE-2021-24168 Easy Contact Form Pro < 1.1.1.9 - Authenticated Stored Cross-Site Scripting (XSS) CVE-2025-58989 WordPress Dynamic Text Field For Contact Form 7 Plugin <= 1.0 - Cross Site Scripting (XSS) Vulnerability CVE-2025-49960 WordPress LeadBI Plugin for WordPress plugin <= 1.7 - Cross Site Scripting (XSS) vulnerability