Which versions of Dcmtk are affected by CVE-2026-5663?

OFFIS DCMTK storescp utility (versions ≤3.7.0) contains an unauthenticated OS command injection vulnerability that allows remote attackers to execute arbitrary system commands on medical imaging…. A patch is available.

How to fix or mitigate CVE-2026-5663?

Within 24 hours: inventory all systems running OFFIS DCMTK storescp and identify current version numbers. Within 7 days: apply vendor patch (commit edbb085e45788dccaf0e64d71534cfca925784b8) to all affected systems and validate patching through version verification. Within 30 days: conduct network segmentation audit to restrict DICOM service access to authorized imaging devices only and review access logs for suspicious DICOM operations.

Dcmtk CVE-2026-5663

Q: What is the CVSS score of CVE-2026-5663?

CVE-2026-5663 has a CVSS 4.0 base score of 6.9 (Medium). CVSS vector: CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:L/VI:L/VA:L/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X. EPSS exploitation probability: 0.8%.

EUVD-2026-19243 MEDIUM

OS Command Injection (CWE-78)

2026-04-06 VulDB

Command Injection Dcmtk

6.9

CVSS 4.0 · NVD

Severity by source

NVD PRIMARY

6.9 MEDIUM

CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:L/VI:L/VA:L/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X

SUSE

7.5 HIGH

AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:L

Primary rating from NVD.

CVSS VectorNVD

CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:L/VI:L/VA:L/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X

Attack Vector

Network

Attack Complexity

Low

Privileges Required

None

User Interaction

None

Scope

Lifecycle Timeline

EUVD ID Assigned

Apr 06, 2026 - 14:30 euvd

EUVD-2026-19243

Analysis Generated

Apr 06, 2026 - 14:30 vuln.today

Patch released

Apr 06, 2026 - 14:30 nvd

Patch available

CVE Published

Apr 06, 2026 - 14:15 nvd

MEDIUM 6.9

DescriptionCVE.org

A security flaw has been discovered in OFFIS DCMTK up to 3.7.0. This impacts the function executeOnReception/executeOnEndOfStudy of the file dcmnet/apps/storescp.cc of the component storescp. Performing a manipulation results in os command injection. Remote exploitation of the attack is possible. The patch is named edbb085e45788dccaf0e64d71534cfca925784b8. Applying a patch is the recommended action to fix this issue.

AnalysisAI

OS command injection in OFFIS DCMTK's storescp utility (versions up to 3.7.0) allows unauthenticated remote attackers to execute arbitrary system commands via crafted DICOM network operations. The vulnerability resides in the executeOnReception and executeOnEndOfStudy functions within dcmnet/apps/storescp.cc. …

Unlock full vulnerability intelligence

Risk assessment & exploitation conditions
Attack chain visualization
Remediation with exact patch versions
Threat intelligence from 22 sources
Personal watchlist & email alerts

Continue with Google Continue with GitHub

Free forever · No credit card required

Vulnerability AssessmentAI

Risk Assessment	The CVSS vector (AV:N/AC:L/PR:N/UI:N) indicates this vulnerability is remotely exploitable over the network with low attack complexity and requires no authentication or user interaction, representing a severe attack surface exposure. … Full risk analysis with EPSS, KEV, and SSVC signal comparison available after sign-in.
Exploit Scenario	An attacker on the hospital network or with internet access to an exposed PACS system sends a specially crafted DICOM C-STORE request to a vulnerable storescp service, embedding malicious command sequences in DICOM metadata fields processed by executeOnReception callbacks. When the storescp application processes the received image and triggers the callback function with unsanitized input, the injected commands execute with the privileges of the DCMTK service account, potentially allowing the attacker to exfiltrate patient imaging data, pivot to other medical systems, or disrupt radiology workflows by corrupting stored images or modifying study metadata.
Remediation	Apply the vendor-released patch commit edbb085e45788dccaf0e64d71534cfca925784b8 available at https://github.com/DCMTK/dcmtk/commit/edbb085e45788dccaf0e64d71534cfca925784b8, which addresses the command injection vulnerability in the storescp component. … Detailed patch versions, workarounds, and compensating controls in full report.

Recommended ActionAI

Within 24 hours: inventory all systems running OFFIS DCMTK storescp and identify current version numbers. …

Threat intelligence, references, and detailed analysis are available after sign-in.

Vendor StatusVendor

SUSE

Severity: High

Product	Status
openSUSE Tumbleweed	Fixed

CVE-2026-5663 vulnerability details – vuln.today

Back

Dcmtk CVE-2026-5663

Severity by source

CVSS VectorNVD

Lifecycle Timeline

DescriptionCVE.org

AnalysisAI

Unlock full vulnerability intelligence

Vulnerability AssessmentAI

Recommended ActionAI

Vendor StatusVendor

SUSE

Share

External POC / Exploit Code