CVE-2026-5663

A security flaw has been discovered in OFFIS DCMTK up to 3.7.0. This impacts the function executeOnReception/executeOnEndOfStudy of the file dcmnet/apps/storescp.cc of the component storescp. Performing a manipulation results in os command injection. Remote exploitation of the attack is possible. The patch is named edbb085e45788dccaf0e64d71534cfca925784b8. Applying a patch is the recommended action to fix this issue.

CVSS v3 7.3 HIGH
CVSS v2.0 7.5 HIGH

7.3^/10

CVSS v3 : HIGH

V3 Legend

Vector :

Exploitability : 3.9 / Impact : 3.4

Attack Vector NETWORK

Attack Complexity LOW

Privileges Required NONE

User Interaction NONE

Confidentiality Impact LOW

Integrity Impact LOW

Availability Impact LOW

Scope UNCHANGED

7.5^/10

CVSS v2.0 : HIGH

V2 Legend

Vector : AV:N/AC:L/Au:N/C:P/I:P/A:P

Exploitability : 10.0 / Impact : 6.4

Access Vector NETWORK

Access Complexity LOW

Authentication NONE

Confidentiality Impact PARTIAL

Integrity Impact PARTIAL

Availability Impact PARTIAL

References

Link	Resource
https://github.com/DCMTK/dcmtk/commit/edbb085e45788dccaf0e64d71534cfca925784b8	Patch
https://machinespirits.com/advisory/2e1627/	Mitigation Third Party Advisory
https://support.dcmtk.org/redmine/issues/1194	Issue Tracking Third Party Advisory
https://vuldb.com/submit/786061	Third Party Advisory VDB Entry
https://vuldb.com/vuln/355486	Third Party Advisory VDB Entry
https://vuldb.com/vuln/355486/cti	Permissions Required VDB Entry

Configurations

Configuration 1 (hide)

cpe:2.3:a:offis:dcmtk:*:*:*:*:*:*:*:*

History

27 Apr 2026, 18:43

Type	Values Removed	Values Added
References	~~() https://github.com/DCMTK/dcmtk/commit/edbb085e45788dccaf0e64d71534cfca925784b8 -~~	() https://github.com/DCMTK/dcmtk/commit/edbb085e45788dccaf0e64d71534cfca925784b8 - Patch
References	~~() https://machinespirits.com/advisory/2e1627/ -~~	() https://machinespirits.com/advisory/2e1627/ - Mitigation, Third Party Advisory
References	~~() https://support.dcmtk.org/redmine/issues/1194 -~~	() https://support.dcmtk.org/redmine/issues/1194 - Issue Tracking, Third Party Advisory
References	~~() https://vuldb.com/submit/786061 -~~	() https://vuldb.com/submit/786061 - Third Party Advisory, VDB Entry
References	~~() https://vuldb.com/vuln/355486 -~~	() https://vuldb.com/vuln/355486 - Third Party Advisory, VDB Entry
References	~~() https://vuldb.com/vuln/355486/cti -~~	() https://vuldb.com/vuln/355486/cti - Permissions Required, VDB Entry
First Time		Offis Offis dcmtk
CPE		cpe:2.3:a:offis:dcmtk::::::::

06 Apr 2026, 15:17

Type	Values Removed	Values Added
New CVE

Information

Published : 2026-04-06 15:17

Updated : 2026-04-27 18:43

NVD link : CVE-2026-5663

Mitre link : CVE-2026-5663

CVE.ORG link : CVE-2026-5663

JSON object : View

Products Affected

offis

dcmtk

CWE

CWE-77

Improper Neutralization of Special Elements used in a Command ('Command Injection')

CWE-78

Improper Neutralization of Special Elements used in an OS Command ('OS Command Injection')

7.3 /10