CVE-2026-5663

EUVD-2026-19243
A security flaw has been discovered in OFFIS DCMTK up to 3.7.0. This impacts the function executeOnReception/executeOnEndOfStudy of the file dcmnet/apps/storescp.cc of the component storescp. Performing a manipulation results in os command injection. Remote exploitation of the attack is possible. The patch is named edbb085e45788dccaf0e64d71534cfca925784b8. Applying a patch is the recommended action to fix this issue.
Command Injection
ProviderTypeBase ScoreAtk. VectorAtk. ComplexityPriv. RequiredVector
VulDBCNA
7.3 HIGH
NETWORK
LOW
NONE
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:L
Base Score
CVSS 3.x
EPSS Score
Percentile: Unknown
Early Detection
Affected products identified ahead of NVD analysis through intelligence sources.
VendorProductVersionSource
offisdcmtk
3.0
CNA
offisdcmtk
3.1
CNA
offisdcmtk
3.2
CNA
offisdcmtk
3.3
CNA
offisdcmtk
3.4
CNA
offisdcmtk
3.5
CNA
offisdcmtk
3.6
CNA
offisdcmtk
3.7.0
CNA
Debian logo
Debian Releases
Debian Product
Codename
dcmtk
bookworm
vulnerable
bullseye
vulnerable
bullseye (security)
vulnerable
forky
vulnerable
sid
vulnerable
trixie
vulnerable
Common Weakness Enumeration
References
https://github.com/DCMTK/dcmtk/commit/edbb085e45788dccaf0e64d71534cfca925784b8
https://machinespirits.com/advisory/2e1627/
https://support.dcmtk.org/redmine/issues/1194
https://vuldb.com/submit/786061
https://vuldb.com/vuln/355486
https://vuldb.com/vuln/355486/cti