EUVD-2026-35842
GHSA-fr6h-hjqh-g695
CVSS VectorNVD
CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:P/VC:N/VI:N/VA:N/SC:L/SI:L/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
Lifecycle Timeline
2DescriptionNVD
OpenClinic GA 5.351.19 contains a reflected cross-site scripting vulnerability in the DICOM image upload handler that allows attackers to execute arbitrary JavaScript in a victim's browser by embedding malicious payloads in DICOM file metadata fields. Attackers can craft a DICOM file with JavaScript payloads in metadata fields such as Study Description, which are reflected without sanitization in popup.jsp and archiving/uploadfiles_jsp.java when processed through the Upload DICOM images feature.
AnalysisAI
Reflected cross-site scripting in OpenClinic GA 5.351.19's DICOM image upload handler allows unauthenticated remote attackers to execute arbitrary JavaScript in authenticated users' browsers by embedding payloads in DICOM file metadata fields such as Study Description, which are reflected unsanitized through popup.jsp and archiving/uploadfiles_jsp.java. A publicly available proof-of-concept exists, and the researcher's published chain explicitly demonstrates escalation from this XSS primitive to remote code execution, materially elevating the real-world severity beyond the CVSS 5.3 score. …
Unlock full vulnerability intelligence
- Risk assessment & exploitation conditions
- Attack chain visualization
- Remediation with exact patch versions
- Threat intelligence from 22 sources
- Personal watchlist & email alerts
Free forever · No credit card required
Attack ChainAIDerived
Hypothetical attack flow derived from CVE metadata
Vulnerability AssessmentAI
| Exploitation | The 'Upload DICOM images' feature must be accessible and enabled - this is the specific application function through which the malicious DICOM file is submitted. … Additional conditions and limiting factors are described in the full assessment. |
| Risk Assessment | The CVSS 4.0 base score of 5.3 (Medium) reflects the UI:P passive interaction requirement and the scoped subsequent-system impact (SC:L/SI:L), but substantially understates real-world risk when considered alongside the available exploit intelligence. … Full risk analysis with EPSS, KEV, and SSVC signal comparison available after sign-in. |
| Exploit Scenario | An attacker crafts a DICOM image file with a JavaScript payload embedded in a metadata field such as Study Description, then submits it to an OpenClinic GA instance via the Upload DICOM images feature - which the CVSS PR:N vector indicates does not require attacker authentication. When an authenticated clinical user (radiologist, imaging admin) subsequently triggers the reflected response in popup.jsp, the JavaScript payload executes in their browser session. … |
| Remediation | No vendor-released patch has been identified at time of analysis - no fixed version is cited in any of the available references, and the CPE wildcard suggests no upstream release has bounded the affected range. … Detailed patch versions, workarounds, and compensating controls in full report. |
Threat intelligence, references, and detailed analysis are available after sign-in.
More from same product – last 7 days
Server-side request forgery in crmeb_java 1.4 allows remote unauthenticated attackers to manipulate the base64 Qrcode en
Unsafe deserialization in Apache Fory fory-core Java SDK versions prior to 1.1.0 allows remote attackers to bypass the f
Path traversal in SAP NetWeaver Application Server Java's Web Container allows unauthenticated remote attackers to manip
Unsafe deserialization in Spring Framework's JMS message converters (MappingJackson2MessageConverter and JacksonJsonMess
Remote code execution risk in Spring Data MongoDB arises from a SpEL expression injection flaw (CWE-917) triggered durin
Share
External POC / Exploit Code
Leaving vuln.today