Severity by source
CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:L/VA:N/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
Unauthenticated remote read of worklist files (AV:N/AC:L/PR:N/UI:N, C:H); the disclosure-only nature means no integrity or availability impact, unlike the source vector's VI:L.
Primary rating from Vendor (icscert).
CVSS VectorVendor: icscert
CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:L/VA:N/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
Lifecycle Timeline
1DescriptionCVE.org
An unauthenticated attacker can read worklist records from a directory outside the intended per-AE worklist storage area. In a multi-area deployment, this can cross departmental or clinic data separation.
AnalysisAI
Path traversal in OFFIS DCMTK DICOM toolkit lets an unauthenticated network attacker read DICOM Modality Worklist records stored outside the intended per-Application-Entity (AE) directory. In multi-area or multi-tenant deployments this breaks departmental and clinic-level data separation, exposing patient scheduling and demographic data across boundaries; the issue was disclosed through CISA's ICS Medical advisory ICSMA-26-181-01 with no public exploit identified at time of analysis.
Unlock full vulnerability intelligence
- Risk assessment & exploitation conditions
- Attack chain visualization
- Remediation with exact patch versions
- Threat intelligence from 22 sources
- Personal watchlist & email alerts
Free forever · No credit card required
Attack ChainAIDerived
Hypothetical attack flow derived from CVE metadata
Vulnerability AssessmentAI
| Exploitation | Requires network reachability to a DCMTK Modality Worklist SCP service (e.g., wlmscpfs) configured for a multi-area / multi-AE deployment where worklist records are partitioned into per-AE directories - that multi-area configuration is precisely the setting whose isolation is crossed. … Additional conditions and limiting factors are described in the full assessment. |
| Risk Assessment | The supplied CVSS 4.0 vector (AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:L/VA:N) and 8.8 score indicate a remotely reachable, low-complexity, unauthenticated read with high confidentiality impact, which is consistent with the described unauthenticated cross-area worklist disclosure. … Full risk analysis with EPSS, KEV, and SSVC signal comparison available after sign-in. |
| Exploit Scenario | An attacker with network access to a hospital's DICOM Modality Worklist service issues crafted worklist queries containing path-traversal sequences to make the DCMTK SCP read worklist files from another AE's directory. Without authenticating, they retrieve scheduled-procedure and patient demographic records belonging to a different department or clinic, breaching tenant separation. … |
| Remediation | Upgrade to the fixed DCMTK release identified in CISA advisory ICSMA-26-181-01 (https://www.cisa.gov/news-events/ics-medical-advisories/icsma-26-181-01); the references point to the DCMTK GitHub releases page (https://github.com/DCMTK/dcmtk/releases/tag/latest) rather than a specific tagged version, so the upstream fix is available but the exact released patched version is not independently confirmed from the provided data - verify the precise fixed version against the advisory before deploying. … Detailed patch versions, workarounds, and compensating controls in full report. |
Recommended ActionAI
Within 24 hours: Identify all systems running OFFIS DCMTK and map network exposure, especially multi-tenant deployments. …
Sign in for detailed remediation steps and compensating controls.
Threat intelligence, references, and detailed analysis are available after sign-in.
More in Dcmtk Toolkit
View allPath traversal in OFFIS DCMTK (DICOM Toolkit) lets a malicious or compromised DICOM server write attacker-controlled fil
Denial of service in OFFIS DCMTK's DICOM worklist server (wlmscpfs) allows a remote, unauthenticated attacker to crash t
Denial of service in OFFIS DCMTK's storescp DICOM receiver allows an unauthenticated remote attacker to exhaust process
Denial of service in OFFIS DCMTK DICOM toolkit allows an unauthenticated remote attacker to exhaust memory by repeatedly
Same weakness CWE-22 – Path Traversal
View allSame technique Path Traversal
View allShare
External POC / Exploit Code
Leaving vuln.today
EUVD-2026-40417
GHSA-998c-fcv7-9f2w