Critical Vulnerability Information Vulnerability Identifier TALOS ID: TALOS-2025-2264 CVE Number: CVE-2025-58080 Vulnerability Summary Affected Product: MedDream PACS Premium 7.3.6.870 Vulnerability Type: Reflected Cross-Site Scripting (XSS) CVSSv3 Score: 6.1 (CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N) CWE Number: CWE-79 - Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') Vulnerability Details Affected Version: MedDream PACS Premium 7.3.6.870 Vulnerability Location: A reflected cross-site scripting vulnerability exists in the function within the script. Attackers can exploit a specially crafted URL to trigger the vulnerability, leading to arbitrary JavaScript code execution. Product Description: MedDream PACS is a DICOM 3.0-compliant server designed for storing, managing, and retrieving medical images. It includes a web-based DICOM viewer and management interface. Root Cause: In the function, the value of the parameter is directly written into HTML output without any sanitization, resulting in an XSS vulnerability. Example Code Timeline 2025-09-02: Vulnerability disclosed to vendor 2025-12-05: Vendor releases patch 2026-01-20: Public report released Discoverer Discovered by Marcin 'Icewall' Noga of Cisco Talos