CVE-2026-5663 MEDIUM

CVE-2026-5663: OFFIS DCMTK storescp storescp.cc executeOnEndOfStudy os command injection

Vendor Offis

Product DCMTK

Weakness CWE-78

Published April 6, 2026

Last update April 7, 2026

View on NVD All CVEs

CVSS base score

6.9/10

Attack vector Network

Attack complexity Low

Privileges required None

User interaction None

Confidentiality —

Integrity —

CVSS vector

CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:L/VI:L/VA:L/SC:N/SI:N/SA:N/E:X

What the vulnerability does

01Description

A security flaw has been discovered in OFFIS DCMTK up to 3.7.0. This impacts the function executeOnReception/executeOnEndOfStudy of the file dcmnet/apps/storescp.cc of the component storescp. Performing a manipulation results in os command injection. Remote exploitation of the attack is possible. The patch is named edbb085e45788dccaf0e64d71534cfca925784b8. Applying a patch is the recommended action to fix this issue.

Key dates

02Disclosure timeline

April 6, 2026 CVE published

April 7, 2026 Record updated

External resources

03References

NVD — National Vulnerability Database https://nvd.nist.gov/vuln/detail/CVE-2026-5663 CWE — Common Weakness Enumeration https://cwe.mitre.org/data/definitions/78.html

Related vulnerabilities

Identifiers

CVE CVE-2026-5663

CWE CWE-78

CVSS 6.9 / MEDIUM

Affected versions

Vendor Offis

Product DCMTK

Affected 3.0

Vendor Offis

Product DCMTK

Affected 3.1

Vendor Offis

Product DCMTK

Affected 3.2

Vendor Offis

Product DCMTK

Affected 3.3

Vendor Offis

Product DCMTK

Affected 3.4

Vendor Offis

Product DCMTK

Affected 3.5

Vendor Offis

Product DCMTK

Affected 3.6

Vendor Offis

Product DCMTK

Affected 3.7.0

CVE-2026-5663: OFFIS DCMTK storescp storescp.cc executeOnEndOfStudy os command injection

01Description

02Disclosure timeline

03References

04Related CVE