Description
MedDream PACS Server Premium 6.7.1.1 contains an SQL injection vulnerability that allows unauthenticated attackers to execute arbitrary SQL queries by injecting malicious code through the email parameter. Attackers can submit crafted POST requests to the userSignup.php endpoint with SQL payloads in the email field to extract sensitive database information from the backend MySQL database.
Published: 2026-05-25
Score: 8.8 High
EPSS: n/a
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

MedDream PACS Server Premium 6.7.1.1 contains an unauthenticated SQL injection flaw that lets attackers craft malicious input in the email field of the userSignup.php endpoint. By sending a POST request with SQL payloads, an attacker can execute arbitrary SQL queries against the underlying MySQL database, resulting in the extraction of sensitive data such as patient records and system configuration.

Affected Systems

The vulnerability affects MedDream PACS Server Premium, specifically version 6.7.1.1. Users running this build are susceptible to the injection attack.

Risk and Exploitability

The CVSS score of 8.8 classifies the flaw as a high‑severity vulnerability. The EPSS score is not provided, making the exact likelihood of exploitation uncertain, and the issue is not listed in the CISA KEV catalog. Attackers can exploit the flaw via unauthenticated HTTP POST requests to the userSignup.php endpoint, implying that the attack can be carried out over the network without prior access.

Generated by OpenCVE AI on May 25, 2026 at 15:50 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Update MedDream PACS Server Premium to a patched version that eliminates the SQL injection vulnerability.
  • If no patch is available, block unauthenticated access to the userSignup.php endpoint using firewall rules or web server access control lists.
  • Modify the application to sanitize the email input field, employing prepared statements or parameterized queries and rejecting inputs that contain SQL control characters.

Generated by OpenCVE AI on May 25, 2026 at 15:50 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Mon, 25 May 2026 14:30:00 +0000

Type Values Removed Values Added
Description MedDream PACS Server Premium 6.7.1.1 contains an SQL injection vulnerability that allows unauthenticated attackers to execute arbitrary SQL queries by injecting malicious code through the email parameter. Attackers can submit crafted POST requests to the userSignup.php endpoint with SQL payloads in the email field to extract sensitive database information from the backend MySQL database.
Title MedDream PACS Server Premium 6.7.1.1 SQL Injection via email
Weaknesses CWE-89
References
Metrics cvssV3_1

{'score': 8.2, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:L/A:N'}

cvssV4_0

{'score': 8.8, 'vector': 'CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:L/VA:N/SC:N/SI:N/SA:N'}

Subscriptions

No data.

cve-icon MITRE

Status: PUBLISHED

Assigner: VulnCheck

Published:

Updated: 2026-05-25T14:15:17.182Z

Reserved: 2026-05-25T13:48:07.993Z

Link: CVE-2018-25372

cve-icon Vulnrichment

No data.

cve-icon NVD

No data.

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-05-25T16:00:14Z

Weaknesses