CVE-2025-32794 is a stored cross-site scripting (XSS) vulnerability identified in OpenEMR, a widely used open-source electronic health records (EHR) and medical practice management system. This vulnerability affects OpenEMR versions prior to 7.0.3.4. The flaw arises from improper neutralization of input during web page generation (CWE-79), specifically in the patient registration process. Authenticated users with patient creation privileges can inject arbitrary JavaScript code by entering malicious payloads into the First and Last Name fields. This malicious script is stored persistently in the system and later executed when viewing the patient's encounter details under the Orders → Procedure Orders section. The vulnerability requires the attacker to have at least limited privileges (patient creation rights) and user interaction is necessary to trigger the payload execution. The vulnerability has a CVSS v3.1 base score of 7.6 (high severity), reflecting its potential to compromise confidentiality with limited impact on integrity and no impact on availability. The scope is changed (S:C), indicating that the vulnerability can affect resources beyond the vulnerable component, such as other users viewing the infected patient records. Although no known exploits are reported in the wild yet, the vulnerability poses a significant risk due to the sensitive nature of healthcare data and the potential for session hijacking, credential theft, or further exploitation through the injected scripts. The issue has been patched in OpenEMR version 7.0.3.4, and upgrading to this or later versions mitigates the risk.

For European organizations, particularly healthcare providers using OpenEMR, this vulnerability poses a critical risk to patient data confidentiality and system trustworthiness. Exploitation could allow attackers to execute malicious scripts within the context of legitimate users, potentially leading to unauthorized access to sensitive health records, theft of credentials, or manipulation of patient data. Given the strict regulatory environment in Europe, including GDPR requirements for protecting personal health information, a successful attack could result in severe legal and financial consequences. Additionally, the persistent nature of the stored XSS means that multiple users accessing infected patient records could be compromised, amplifying the impact. The vulnerability could also undermine patient trust in digital health services and disrupt clinical workflows if exploited. Since the vulnerability requires authenticated access with patient creation privileges, insider threats or compromised accounts pose a significant risk vector. The lack of known exploits in the wild currently reduces immediate risk but does not eliminate the threat, especially as attackers often weaponize such vulnerabilities rapidly after disclosure.

European healthcare organizations should prioritize upgrading OpenEMR installations to version 7.0.3.4 or later, where the vulnerability is patched. In addition to patching, organizations should implement strict access controls to limit patient creation privileges to trusted personnel only, reducing the attack surface. Employing web application firewalls (WAFs) with rules designed to detect and block XSS payloads can provide an additional layer of defense. Regular security training for staff on the risks of injecting untrusted input and monitoring audit logs for unusual patient creation activities can help detect potential abuse. Organizations should also conduct regular vulnerability assessments and penetration testing focused on web application security to identify similar issues proactively. Implementing Content Security Policy (CSP) headers can mitigate the impact of XSS by restricting the execution of unauthorized scripts. Finally, ensuring that incident response plans include procedures for handling potential XSS incidents in healthcare applications will improve readiness to respond effectively.