CVE-2025-54759 is a stored Cross-Site Scripting (XSS) vulnerability identified in the Santesoft Sante PACS Server, a medical imaging and archiving system used in healthcare environments. The vulnerability arises due to improper neutralization of input during web page generation (CWE-79), allowing an attacker to inject malicious HTML or JavaScript code that is persistently stored on the server and later executed in the context of a victim's browser. Specifically, an attacker could craft malicious input that, when viewed by a legitimate user, executes in their browser session. This can lead to redirection to malicious websites and theft of session cookies, potentially enabling session hijacking or unauthorized access to sensitive patient data. The CVSS 4.0 base score of 5.1 reflects a medium severity, with network attack vector (AV:N), low attack complexity (AC:L), no privileges required (PR:N), but requiring user interaction (UI:A). The vulnerability impacts confidentiality and integrity with limited impact on availability. No known exploits are currently reported in the wild, and no patches have been published yet. The vulnerability affects version 0 of the product, which likely refers to initial or early releases. Given the nature of PACS servers as critical infrastructure in healthcare, exploitation could have serious consequences for patient data privacy and trust in medical systems.

For European organizations, particularly healthcare providers and hospitals using Santesoft Sante PACS Server, this vulnerability poses a significant risk to patient data confidentiality and system integrity. Successful exploitation could allow attackers to steal session cookies, leading to unauthorized access to medical images and patient records, violating GDPR and other data protection regulations. This could result in reputational damage, regulatory fines, and disruption of healthcare services. Although the vulnerability requires user interaction, healthcare staff often access PACS systems regularly, increasing the likelihood of exploitation. Furthermore, compromised PACS servers could serve as pivot points for broader network intrusion within healthcare institutions. The impact extends beyond individual organizations to potentially affect national healthcare infrastructure and patient safety in Europe.

Given the absence of an official patch, European healthcare organizations should implement immediate compensating controls. These include: 1) Input validation and output encoding at the application layer to sanitize user-supplied data and prevent script injection; 2) Employ Content Security Policy (CSP) headers to restrict the execution of unauthorized scripts in browsers; 3) Enforce strict session management practices such as HttpOnly and Secure flags on cookies to mitigate cookie theft; 4) Conduct user awareness training to reduce the risk of social engineering that could trigger user interaction; 5) Monitor web server logs and network traffic for suspicious activities indicative of XSS exploitation attempts; 6) Isolate the PACS server within segmented network zones with limited access to reduce lateral movement; 7) Engage with Santesoft for timely updates and patches, and plan for rapid deployment once available; 8) Consider deploying Web Application Firewalls (WAFs) with XSS detection and blocking capabilities tailored to the PACS server environment.