CVE-2025-69231
Published: 25 February 2026
Description
An adversary may steal web application or service session cookies and use them to gain access to web applications or Internet services as an authenticated user without needing credentials.
Security Summary
CVE-2025-69231 is a stored cross-site scripting (XSS) vulnerability, mapped to CWE-79, in OpenEMR, a free and open-source electronic health records and medical practice management application. The issue resides in the GAD-7 anxiety assessment form and affects versions prior to 8.0.0. It carries a CVSS v3.1 base score of 8.7 (AV:N/AC:L/PR:L/UI:R/S:C/C:H/I:H/A:N) and was published on 2026-02-25.
Authenticated users with clinician privileges can exploit the vulnerability by injecting malicious JavaScript into the GAD-7 form. When other users view the form, the injected script executes in their browsers, enabling session hijacking, account takeover, and privilege escalation from clinician to administrator.
OpenEMR version 8.0.0 resolves the vulnerability. Additional mitigation details are available in the GitHub security advisory at https://github.com/openemr/openemr/security/advisories/GHSA-mf62-q2xc-hxm3 and the fixing commit at https://github.com/openemr/openemr/commit/5f20b756441fc9868f43410a9ef97536c38b2ba6.
Details
- CWE(s)
Affected Products
MITRE ATT&CK Enterprise Techniques
Why these techniques?
Stored XSS in public-facing web app (OpenEMR) enables exploitation of remote services (T1190) and facilitates stealing web session cookies via injected JavaScript for session hijacking and account takeover (T1539).