CVE-2025-54862 is a stored cross-site scripting (XSS) vulnerability identified in the Santesoft Sante PACS Server web portal. This vulnerability arises due to improper neutralization of input during web page generation, classified under CWE-79. Specifically, the web portal fails to adequately sanitize user-supplied input before embedding it into web pages, allowing an attacker to inject malicious HTML or JavaScript code. When a legitimate user accesses the affected page, the malicious script executes in their browser context. This can lead to unauthorized actions such as redirecting users to malicious websites and stealing session cookies, which could facilitate session hijacking or unauthorized access to the PACS system. The vulnerability affects version 0 of the product, with no patches currently available. The CVSS v4.0 base score is 4.8, indicating a medium severity level. The attack vector is network-based with low attack complexity, requiring low privileges and user interaction. The impact on confidentiality and integrity is low to limited, with no direct availability impact. No known exploits are reported in the wild as of the publication date (August 18, 2025). Stored XSS in a healthcare PACS (Picture Archiving and Communication System) server is particularly concerning because it can compromise sensitive medical imaging data and patient information, potentially violating privacy regulations and undermining trust in healthcare IT systems.

For European organizations, especially healthcare providers using the Sante PACS Server, this vulnerability poses a risk to patient data confidentiality and system integrity. Successful exploitation could allow attackers to hijack user sessions, leading to unauthorized access to sensitive medical images and patient records. This could result in data breaches, non-compliance with GDPR and other healthcare data protection regulations, and reputational damage. Additionally, redirected users might be exposed to further phishing or malware attacks. The impact is heightened in healthcare environments where availability and integrity of imaging data are critical for patient care. Although the CVSS score suggests medium severity, the sensitive nature of healthcare data and regulatory environment in Europe amplify the consequences of exploitation. The lack of patches means organizations must rely on compensating controls until a fix is available.

European healthcare organizations using Sante PACS Server should implement the following specific mitigations: 1) Employ web application firewalls (WAFs) with custom rules to detect and block malicious input patterns targeting the vulnerable endpoints. 2) Conduct input validation and output encoding at the application layer where possible, even if the vendor patch is unavailable, by applying reverse proxies or middleware that sanitize inputs and outputs. 3) Enforce strict Content Security Policy (CSP) headers to restrict the execution of unauthorized scripts in browsers accessing the PACS portal. 4) Educate users to recognize suspicious redirects and avoid clicking on unexpected links within the portal. 5) Monitor web server and application logs for unusual activity indicative of attempted XSS exploitation. 6) Segregate the PACS server network segment and restrict access to authorized personnel only, minimizing exposure. 7) Engage with the vendor for timely patch releases and apply updates promptly once available. 8) Regularly audit and review user privileges to limit the potential impact of compromised accounts. These measures go beyond generic advice by focusing on layered defenses tailored to the healthcare PACS environment and the specific nature of stored XSS.