CVE-2025-58089 is a reflected cross-site scripting (XSS) vulnerability identified in MedDream PACS Premium version 7.3.6.870, a medical imaging software widely used for managing and viewing medical images. The vulnerability resides in the config.php functionality, specifically in the longtermdir parameter, which fails to properly neutralize user-supplied input before including it in web page generation. This improper input sanitization allows attackers to craft malicious URLs containing JavaScript payloads that execute in the context of the victim's browser when the URL is accessed. The vulnerability is classified under CWE-79, indicating improper neutralization of input during web page generation. The CVSS v3.1 base score is 6.1, reflecting a medium severity level, with an attack vector of network (AV:N), low attack complexity (AC:L), no privileges required (PR:N), but requiring user interaction (UI:R). The scope is changed (S:C), meaning the vulnerability can affect resources beyond the vulnerable component. The impact affects confidentiality and integrity (C:L/I:L) but not availability (A:N). While no known exploits are currently reported in the wild, the vulnerability poses a risk of session hijacking, credential theft, or unauthorized actions performed via malicious scripts. Given the critical nature of PACS systems in healthcare, exploitation could lead to unauthorized access to sensitive patient data or manipulation of medical imaging workflows. The vulnerability was reserved in August 2025 and published in January 2026, indicating recent discovery and disclosure. No official patches are currently linked, so mitigation relies on defensive controls and vendor updates when available.

For European organizations, particularly healthcare providers using MedDream PACS Premium 7.3.6.870, this vulnerability could lead to unauthorized disclosure of sensitive patient information through session hijacking or theft of authentication tokens. The integrity of medical imaging workflows could be compromised, potentially affecting diagnosis and treatment decisions. Although availability is not directly impacted, the trustworthiness of the PACS system could be undermined, leading to reputational damage and regulatory consequences under GDPR due to data breaches. The requirement for user interaction means phishing or social engineering campaigns could be used to lure healthcare staff into clicking malicious links. Given the critical role of PACS in clinical environments, even medium-severity vulnerabilities warrant prompt attention to avoid cascading impacts on patient care and compliance.

1. Monitor MedDream vendor communications closely and apply official patches or updates as soon as they become available to remediate the vulnerability directly. 2. Implement strict input validation and output encoding on the longtermdir parameter within the web application to neutralize malicious scripts. 3. Deploy Web Application Firewalls (WAFs) configured to detect and block reflected XSS attack patterns targeting the vulnerable parameter. 4. Conduct user awareness training for healthcare staff to recognize and avoid phishing attempts that could deliver malicious URLs. 5. Use Content Security Policy (CSP) headers to restrict the execution of unauthorized scripts in the PACS web interface. 6. Regularly audit and monitor web server logs for suspicious URL access patterns indicative of exploitation attempts. 7. Isolate PACS systems within secure network segments with limited external exposure to reduce attack surface. 8. Employ multi-factor authentication (MFA) for PACS access to mitigate session hijacking risks.