Skip to main content

Dcmtk Toolkit

5 CVEs product

Monthly

CVE-2026-50003 CRITICAL CISA Emergency

Path traversal in OFFIS DCMTK (DICOM Toolkit) lets a malicious or compromised DICOM server write attacker-controlled files to arbitrary locations on a DCMTK client host whenever that client retrieves objects using bit-preserving C-GET storage mode. Because the client trusts server-supplied storage paths, both relative (../) and absolute paths escape the chosen output directory, enabling overwrite of client-side files and potential code execution. Reported via CISA ICS-CERT (medical advisory ICSMA-26-181-01); no public exploit identified at time of analysis and it is not listed in CISA KEV.

Path Traversal Dcmtk Toolkit
NVD GitHub
CVSS 4.0
9.3
EPSS
0.4%
CVE-2026-50254 HIGH CISA Act Now

Denial of service in OFFIS DCMTK's storescp DICOM receiver allows an unauthenticated remote attacker to exhaust process memory by repeatedly sending a single crafted connection request (CWE-401 memory leak), eventually crashing the service so it stops accepting connections until an operator manually restarts it. In the default single-process deployment mode the leak accumulates per connection and brings the listener down quickly. CVSS 4.0 scores this 8.7 (High), driven entirely by availability impact; no public exploit identified at time of analysis and it is not listed in CISA KEV.

Information Disclosure Dcmtk Toolkit
NVD GitHub
CVSS 4.0
8.7
EPSS
0.4%
CVE-2026-35505 HIGH CISA Act Now

Denial of service in OFFIS DCMTK DICOM toolkit allows an unauthenticated remote attacker to exhaust memory by repeatedly sending crafted connection requests, each of which leaks unfreed memory. In single-process deployments the leaked memory accumulates until the service process is killed by the OS and the listening port stops responding until a manual restart. No public exploit identified at time of analysis; CVSS 4.0 base score is 8.7 (availability-only impact), reported through CISA ICS-CERT medical advisory ICSMA-26-181-01.

Information Disclosure Dcmtk Toolkit
NVD GitHub
CVSS 4.0
8.7
EPSS
0.4%
CVE-2026-52868 HIGH CISA Act Now

Path traversal in OFFIS DCMTK DICOM toolkit lets an unauthenticated network attacker read DICOM Modality Worklist records stored outside the intended per-Application-Entity (AE) directory. In multi-area or multi-tenant deployments this breaks departmental and clinic-level data separation, exposing patient scheduling and demographic data across boundaries; the issue was disclosed through CISA's ICS Medical advisory ICSMA-26-181-01 with no public exploit identified at time of analysis.

Path Traversal Dcmtk Toolkit
NVD GitHub
CVSS 4.0
8.8
EPSS
0.4%
CVE-2026-44628 HIGH CISA Act Now

Denial of service in OFFIS DCMTK's DICOM worklist server (wlmscpfs) allows a remote, unauthenticated attacker to crash the service with a single crafted DICOM query when the server is provisioned with a valid Called AE Title, a storage directory, the expected lockfile, and at least one matching worklist record. The flaw stems from a type-confusion condition (CWE-843) and carries a CVSS 4.0 base score of 8.7 driven entirely by high availability impact (VA:H). There is no public exploit identified at time of analysis, and it is not listed in CISA KEV, though it was reported through the ICS-CERT/ICSMA medical-advisory channel.

Denial Of Service Memory Corruption Dcmtk Toolkit
NVD GitHub
CVSS 4.0
8.7
EPSS
0.4%
EPSS 0% CVSS 9.3
CRITICAL Emergency

Path traversal in OFFIS DCMTK (DICOM Toolkit) lets a malicious or compromised DICOM server write attacker-controlled files to arbitrary locations on a DCMTK client host whenever that client retrieves objects using bit-preserving C-GET storage mode. Because the client trusts server-supplied storage paths, both relative (../) and absolute paths escape the chosen output directory, enabling overwrite of client-side files and potential code execution. Reported via CISA ICS-CERT (medical advisory ICSMA-26-181-01); no public exploit identified at time of analysis and it is not listed in CISA KEV.

Path Traversal Dcmtk Toolkit
NVD GitHub
EPSS 0% CVSS 8.7
HIGH Act Now

Denial of service in OFFIS DCMTK's storescp DICOM receiver allows an unauthenticated remote attacker to exhaust process memory by repeatedly sending a single crafted connection request (CWE-401 memory leak), eventually crashing the service so it stops accepting connections until an operator manually restarts it. In the default single-process deployment mode the leak accumulates per connection and brings the listener down quickly. CVSS 4.0 scores this 8.7 (High), driven entirely by availability impact; no public exploit identified at time of analysis and it is not listed in CISA KEV.

Information Disclosure Dcmtk Toolkit
NVD GitHub
EPSS 0% CVSS 8.7
HIGH Act Now

Denial of service in OFFIS DCMTK DICOM toolkit allows an unauthenticated remote attacker to exhaust memory by repeatedly sending crafted connection requests, each of which leaks unfreed memory. In single-process deployments the leaked memory accumulates until the service process is killed by the OS and the listening port stops responding until a manual restart. No public exploit identified at time of analysis; CVSS 4.0 base score is 8.7 (availability-only impact), reported through CISA ICS-CERT medical advisory ICSMA-26-181-01.

Information Disclosure Dcmtk Toolkit
NVD GitHub
EPSS 0% CVSS 8.8
HIGH Act Now

Path traversal in OFFIS DCMTK DICOM toolkit lets an unauthenticated network attacker read DICOM Modality Worklist records stored outside the intended per-Application-Entity (AE) directory. In multi-area or multi-tenant deployments this breaks departmental and clinic-level data separation, exposing patient scheduling and demographic data across boundaries; the issue was disclosed through CISA's ICS Medical advisory ICSMA-26-181-01 with no public exploit identified at time of analysis.

Path Traversal Dcmtk Toolkit
NVD GitHub
EPSS 0% CVSS 8.7
HIGH Act Now

Denial of service in OFFIS DCMTK's DICOM worklist server (wlmscpfs) allows a remote, unauthenticated attacker to crash the service with a single crafted DICOM query when the server is provisioned with a valid Called AE Title, a storage directory, the expected lockfile, and at least one matching worklist record. The flaw stems from a type-confusion condition (CWE-843) and carries a CVSS 4.0 base score of 8.7 driven entirely by high availability impact (VA:H). There is no public exploit identified at time of analysis, and it is not listed in CISA KEV, though it was reported through the ICS-CERT/ICSMA medical-advisory channel.

Denial Of Service Memory Corruption Dcmtk Toolkit
NVD GitHub

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy