Security Advisory

CVE-2026-21443

CVE vulnerability detail — eXtreme Datacenter Security Operations

Published 2026-02-25 01:23:22

Last updated 2026-02-25 21:15:31

Assigner GitHub_M

State PUBLISHED

Description

OpenEMR is a free and open source electronic health records and medical practice management application. Prior to version 8.0.0, the `xl()` translation function returns unescaped strings. While wrapper functions exist for escaping in different contexts (`xlt()` for HTML, `xla()` for attributes, `xlj()` for JavaScript), there are places in the codebase where `xl()` output is used directly without escaping. If an attacker could insert malicious content into the translation database, these unescaped outputs could lead to XSS. Version 8.0.0 fixes the issue.

← Browse all CVEs View on cve.org ↗