CVE-2018-25142 HIGH

CVE-2018-25142: NovaRad NovaPACS Diagnostics Viewer 8.5 XML External Entity Injection

Vendor Novarad Corporation
Product NovaPACS Diagnostics Viewer
Weakness CWE-611 · XXE
Published December 24, 2025
Last update December 24, 2025

CVSS base score

7.1/10
Attack vector Network
Attack complexity Low
Privileges required None
User interaction
Confidentiality
Integrity

CVSS vector

CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:P/VC:H/VI:N/VA:N/SC:N/SI:N/SA:N

What the vulnerability does

01Description

NovaRad NovaPACS Diagnostics Viewer 8.5.19.75 contains an unauthenticated XML External Entity (XXE) injection vulnerability in XML preference import settings. Attackers can craft malicious XML files with DTD parameter entities to retrieve arbitrary system files through an out-of-band channel attack.

Key dates

02Disclosure timeline

December 24, 2025 CVE published
December 24, 2025 Record updated