CVE-2025-41003 is a stored Cross-Site Scripting (XSS) vulnerability classified under CWE-79 found in Imaster's Patient Record Management System, specifically in the endpoint ‘/projects/hospital/admin/edit_patient.php’. The vulnerability arises because the ‘firstname’ parameter accepts user input without proper neutralization or sanitization, allowing an attacker to inject malicious JavaScript code that is stored persistently in the system's database. When a legitimate user accesses the patient list, the injected script executes in their browser context, enabling the attacker to perform actions such as session hijacking, cookie theft, or redirecting users to malicious sites. The vulnerability affects all versions of the product, indicating a systemic issue in input handling. The CVSS 4.0 vector (AV:N/AC:L/AT:N/PR:L/UI:P/VC:N/VI:N/VA:N/SC:L/SI:L/SA:N) shows that the attack can be launched remotely over the network with low complexity and no authentication, but requires user interaction (visiting the patient list page). The impact on confidentiality, integrity, and availability is limited but significant in a healthcare context where patient data integrity and privacy are critical. No patches or known exploits are currently available, but the vulnerability's presence in a healthcare system makes it a high-value target for attackers aiming to disrupt services or steal sensitive information. The vulnerability was reserved in April 2025 and published in January 2026, with INCIBE as the assigner. The lack of patch links suggests that organizations must implement mitigations proactively.

For European healthcare organizations, this vulnerability poses a risk to patient data confidentiality and system integrity. Exploitation could lead to unauthorized access to sensitive patient information, manipulation of displayed data, or execution of malicious scripts that compromise user sessions and credentials. This undermines trust in healthcare IT systems and could result in regulatory non-compliance with GDPR due to data breaches. Additionally, attackers could use the vulnerability as a foothold to escalate attacks within hospital networks, potentially disrupting critical healthcare services. The medium CVSS score reflects moderate risk, but the healthcare context elevates the potential impact. Organizations relying on Imaster's Patient Record Management System may face reputational damage, legal consequences, and operational disruptions if the vulnerability is exploited. The absence of known exploits currently provides a window for remediation before widespread attacks occur.

Organizations should immediately implement strict input validation and output encoding on the ‘firstname’ parameter and all other user inputs to prevent script injection. Employ Content Security Policy (CSP) headers to restrict the execution of unauthorized scripts in browsers. Review and restrict user privileges to minimize the impact of potential exploitation, ensuring that only trusted personnel can edit patient records. Conduct thorough code audits of the Patient Record Management System to identify and remediate similar vulnerabilities. Monitor logs for suspicious activity related to the vulnerable endpoint. Since no official patches are available, consider deploying Web Application Firewalls (WAFs) with custom rules to detect and block XSS payloads targeting this endpoint. Educate users about the risks of clicking on suspicious links or accessing untrusted content within the system. Engage with Imaster for updates on patches and security advisories. Regularly back up patient data and test incident response plans to prepare for potential exploitation scenarios.