Home

Description

A security flaw has been discovered in OFFIS DCMTK up to 3.7.0. This impacts the function executeOnReception/executeOnEndOfStudy of the file dcmnet/apps/storescp.cc of the component storescp. Performing a manipulation results in os command injection. Remote exploitation of the attack is possible. The patch is named edbb085e45788dccaf0e64d71534cfca925784b8. Applying a patch is the recommended action to fix this issue.

PUBLISHED Reserved 2026-04-06 | Published 2026-04-06 | Updated 2026-04-06 | Assigner VulDB




MEDIUM: 6.9CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:L/VI:L/VA:L/SC:N/SI:N/SA:N/E:X
HIGH: 7.3CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:L/E:X/RL:O/RC:C
HIGH: 7.3CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:L/E:X/RL:O/RC:C
7.5AV:N/AC:L/Au:N/C:P/I:P/A:P/E:ND/RL:OF/RC:C

Problem types

OS Command Injection

Command Injection

Product status

3.0
affected

3.1
affected

3.2
affected

3.3
affected

3.4
affected

3.5
affected

3.6
affected

3.7.0
affected

Timeline

2026-04-06:Advisory disclosed
2026-04-06:VulDB entry created
2026-04-06:VulDB entry last update

Credits

Simon Weber (Machine Spirits) finder

Volker Schönefeld (Machine Spirits) finder

simon4machinespirits (VulDB User) reporter

References

vuldb.com/vuln/355486 (VDB-355486 | OFFIS DCMTK storescp storescp.cc executeOnEndOfStudy os command injection) vdb-entry technical-description

vuldb.com/vuln/355486/cti (VDB-355486 | CTI Indicators (IOB, IOC, TTP, IOA)) signature permissions-required

vuldb.com/submit/786061 (Submit #786061 | OFFIS DCMTK up to 3.7.0 OS Command Injection) third-party-advisory

machinespirits.com/advisory/2e1627/ related

support.dcmtk.org/redmine/issues/1194 issue-tracking

github.com/...ommit/edbb085e45788dccaf0e64d71534cfca925784b8 patch

cve.org (CVE-2026-5663)

nvd.nist.gov (CVE-2026-5663)

Download JSON