CVE-2025-54853 is a reflected cross-site scripting (XSS) vulnerability identified in MedDream PACS Premium version 7.3.6.870, a widely used medical imaging and archiving system. The vulnerability resides in the modifyUser functionality, where insufficient input sanitization allows an attacker to inject malicious JavaScript code via a crafted URL. When a victim user clicks or is redirected to this URL, the injected script executes in their browser context, potentially allowing the attacker to steal session cookies, perform unauthorized actions on behalf of the user, or manipulate the web interface. This vulnerability does not require prior authentication but does require user interaction (clicking the malicious link). The CVSS 3.1 base score is 6.1, reflecting medium severity with network attack vector, low attack complexity, no privileges required, user interaction needed, and impacts on confidentiality and integrity but not availability. The vulnerability is classified under CWE-79, indicating improper neutralization of input during web page generation. No public exploits or patches are currently available, increasing the urgency for proactive mitigation. Given the critical nature of PACS systems in healthcare workflows, exploitation could disrupt clinical operations or lead to unauthorized access to sensitive patient data. The reflected XSS nature means the attack is transient and requires social engineering to succeed. The vulnerability was reserved in August 2025 and published in January 2026, indicating recent discovery and disclosure.

For European organizations, especially healthcare providers relying on MedDream PACS Premium 7.3.6.870, this vulnerability poses a risk to patient data confidentiality and system integrity. Successful exploitation could allow attackers to hijack user sessions, access sensitive medical images and patient information, or perform unauthorized modifications to user accounts or system settings. This could lead to privacy violations under GDPR, potential disruption of medical workflows, and reputational damage. Although the vulnerability does not directly impact system availability, the indirect effects of compromised user accounts or data leakage could be severe. The requirement for user interaction means phishing or social engineering campaigns could be used to deliver the malicious URLs. European healthcare institutions are attractive targets due to the sensitivity of medical data and the critical nature of PACS systems. The absence of known exploits currently provides a window for mitigation, but the medium severity score indicates a meaningful risk that should not be ignored.

1. Monitor MedDream vendor communications closely and apply security patches or updates immediately once available for version 7.3.6.870 or later. 2. Implement strict input validation and output encoding on all user-supplied data in the modifyUser functionality to neutralize malicious scripts. 3. Deploy Web Application Firewalls (WAFs) configured to detect and block reflected XSS attack patterns targeting the PACS web interface. 4. Educate healthcare staff about the risks of clicking on unsolicited or suspicious URLs, emphasizing phishing awareness. 5. Use Content Security Policy (CSP) headers to restrict the execution of unauthorized scripts in the PACS web application. 6. Conduct regular security assessments and penetration testing focused on web application vulnerabilities in the PACS environment. 7. Limit user privileges and session lifetimes to reduce the impact of potential session hijacking. 8. Consider network segmentation to isolate PACS systems from general user networks, reducing exposure to malicious links. These measures collectively reduce the attack surface and improve resilience against exploitation of this XSS vulnerability.