CVE-2025-54778
Unknown Unknown - Not Provided
BaseFortify

Publication date: 2026-01-20

Last updated on: 2026-01-29

Assigner: Talos

Description
A reflected cross-site scripting (xss) vulnerability exists in the existingUser functionality of MedDream PACS Premium 7.3.6.870. A specially crafted malicious URL can lead to arbitrary javascript code execution. An attacker can provide a crafted URL to trigger this vulnerability.
CVSS Scores
EPSS Scores
Probability:
Percentile:
Meta Information
Published
2026-01-20
Last Modified
2026-01-29
Generated
2026-06-16
AI Q&A
2026-01-20
EPSS Evaluated
2026-06-15
NVD
CVE-2025-54778
EUVD
EUVD-2026-3393
Affected Vendors & Products
Showing 1 associated CPE
Vendor Product Version / Range
meddream pacs_server 7.3.6.870
Helpful Resources
Exploitability
CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-79 The product does not neutralize or incorrectly neutralizes user-controllable input before it is placed in output that is used as a web page that is served to other users.
Attack-Flow Graph
AI Quick Actions
Instant insights powered by AI
Executive Summary

CVE-2025-54778 is a reflected cross-site scripting (XSS) vulnerability in the existingUser functionality of MedDream PACS Premium version 7.3.6.870. It occurs because the application takes the 'external' parameter from the URL query string without proper sanitization and directly inserts it into the HTML output. This allows an attacker to craft a malicious URL that, when visited by an authenticated user, executes arbitrary JavaScript code in the user's browser. [1]

Compliance Impact

The provided resources do not specify how this reflected XSS vulnerability in MedDream PACS Premium affects compliance with standards such as GDPR or HIPAA.

Impact Analysis

This vulnerability can allow an attacker to execute arbitrary JavaScript code in the context of an authenticated user's browser. This can lead to theft of sensitive information, session hijacking, or performing actions on behalf of the user within the MedDream PACS application. Since the vulnerability requires user interaction (clicking a crafted URL), it can be exploited through phishing or social engineering attacks. [1]

Detection Guidance

This vulnerability can be detected by testing the existingUser functionality, specifically the Pacs/existingUser.php script, for reflected cross-site scripting via the 'external' URL parameter. You can craft a URL with a script tag injected into the 'external' parameter and observe if the JavaScript executes in the browser. For example, use curl or wget to send a request with a malicious payload in the 'external' parameter and check the response for unsanitized script tags. Example command: curl -i 'http://target/Pacs/existingUser.php?external=<script>alert(1)</script>' and inspect the response for the injected script. Additionally, web vulnerability scanners that test for reflected XSS can be used against this endpoint. [1]

Mitigation Strategies

The immediate mitigation step is to apply the vendor-released patch that addresses this vulnerability, which was made available on December 5, 2025. Until the patch is applied, restrict access to the affected functionality to trusted users only, and educate users to avoid clicking on suspicious or untrusted URLs containing the 'external' parameter. Implement web application firewall (WAF) rules to detect and block malicious payloads targeting the 'external' parameter in the existingUser functionality. [1]

Chat Assistant
Ask questions about this CVE
Hi! I’m here to help you understand CVE-2025-54778. Ask me anything about the vulnerability, its impact, or mitigation strategies.
0/70
EPSS Chart