CVE-2018-25298 MEDIUM

CVE-2018-25298: Merge PACS 7.0 Cross-Site Request Forgery via merge-viewer

Vendor Merge
Product Merge PACS
Weakness CWE-352 · CSRF
Published April 29, 2026
Last update April 30, 2026

CVSS base score

6.9/10
Attack vector Network
Attack complexity Low
Privileges required None
User interaction None
Confidentiality
Integrity

CVSS vector

CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:L/VA:N/SC:L/SI:L/SA:L

What the vulnerability does

01Description

Merge PACS 7.0 contains a cross-site request forgery vulnerability that allows attackers to perform unauthorized actions by crafting malicious HTML forms targeting the merge-viewer endpoint. Attackers can submit POST requests to /servlet/actions/merge-viewer/summary with login credentials to hijack user sessions and gain unauthorized access to the PACS system.

Key dates

02Disclosure timeline

April 29, 2026 CVE published
April 30, 2026 Record updated