Description
Merge PACS 7.0 contains a cross-site request forgery vulnerability that allows attackers to perform unauthorized actions by crafting malicious HTML forms targeting the merge-viewer endpoint. Attackers can submit POST requests to /servlet/actions/merge-viewer/summary with login credentials to hijack user sessions and gain unauthorized access to the PACS system.
Published: 2026-04-29
Score: 6.9 Medium
EPSS: < 1% Very Low
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

A cross‑site request forgery flaw in Merge PACS 7.0 allows an attacker to craft a malicious HTML form that submits a POST request to the merge‑viewer endpoint. By sending credentials to /servlet/actions/merge‑viewer/summary, the attacker can hijack the victim’s session and gain unauthorized access to the PACS system.

Affected Systems

The vulnerability affects Merge’s PACS product, version 7.0. All releases of 7.0 are potentially impacted because no specific patch level or build is indicated.

Risk and Exploitability

The flaw has a CVSS score of 6.9, classifying it as medium severity. The EPSS score is not available, so the likelihood of exploitation is unknown. The flaw is not listed in the CISA KEV catalog. Because the attacker must send a crafted POST request while the user is logged in, the exploitation path is straightforward for an adversary who can lure the victim to submit the form. Without a vendor patch, standard CSRF defenses such as synchronizer tokens, same‑origin checks, and strict session handling can mitigate the risk.

Generated by OpenCVE AI on April 30, 2026 at 13:59 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Obtain and install any available vendor security patch or update for Merge PACS 7.0 to address the CSRF vulnerability.
  • Configure the application to enforce CSRF tokens or custom header validation on POST requests to the merge‑viewer endpoint.
  • Ensure session identifiers are invalidated on logout and bind sessions to the IP address or user agent to limit potential impact of a stolen session.

Generated by OpenCVE AI on April 30, 2026 at 13:59 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Thu, 30 Apr 2026 13:15:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'yes', 'Exploitation': 'none', 'Technical Impact': 'partial'}, 'version': '2.0.3'}

Thu, 30 Apr 2026 08:45:00 +0000

Type Values Removed Values Added
First Time appeared Merge
Merge merge Pacs
Vendors & Products Merge
Merge merge Pacs

Wed, 29 Apr 2026 20:00:00 +0000

Type Values Removed Values Added
Description Merge PACS 7.0 contains a cross-site request forgery vulnerability that allows attackers to perform unauthorized actions by crafting malicious HTML forms targeting the merge-viewer endpoint. Attackers can submit POST requests to /servlet/actions/merge-viewer/summary with login credentials to hijack user sessions and gain unauthorized access to the PACS system.
Title Merge PACS 7.0 Cross-Site Request Forgery via merge-viewer
Weaknesses CWE-352
References
Metrics cvssV3_1

{'score': 5.3, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N'}

cvssV4_0

{'score': 6.9, 'vector': 'CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:L/VA:N/SC:L/SI:L/SA:L'}

Subscriptions

Merge Merge Pacs
cve-icon MITRE

Status: PUBLISHED

Assigner: VulnCheck

Published:

Updated: 2026-04-30T12:45:46.990Z

Reserved: 2026-04-29T11:59:44.886Z

Link: CVE-2018-25298

cve-icon Vulnrichment

Updated: 2026-04-30T12:43:19.024Z

cve-icon NVD

Status : Awaiting Analysis

Published: 2026-04-29T20:16:23.970

Modified: 2026-04-30T15:48:26.580

Link: CVE-2018-25298

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-04-30T14:00:22Z

Weaknesses