CVE-2026-5663

NameCVE-2026-5663
DescriptionA security flaw has been discovered in OFFIS DCMTK up to 3.7.0. This impacts the function executeOnReception/executeOnEndOfStudy of the file dcmnet/apps/storescp.cc of the component storescp. Performing a manipulation results in os command injection. Remote exploitation of the attack is possible. The patch is named edbb085e45788dccaf0e64d71534cfca925784b8. Applying a patch is the recommended action to fix this issue.
SourceCVE (at NVD; CERT, ENISA, LWN, oss-sec, fulldisc, Debian ELTS, Red Hat, Ubuntu, Gentoo, SUSE bugzilla/CVE, GitHub advisories/code/issues, web search, more)

Vulnerable and fixed packages

The table below lists information on source packages.

Source PackageReleaseVersionStatus
dcmtk (PTS)bullseye3.6.5-1vulnerable
bullseye (security)3.6.5-1+deb11u6vulnerable
bookworm3.6.7-9~deb12u3vulnerable
trixie3.6.9-5vulnerable
forky, sid3.7.0+really3.6.9-1vulnerable

The information below is based on the following data on fixed versions.

PackageTypeReleaseFixed VersionUrgencyOriginDebian Bugs
dcmtksource(unstable)(unfixed)

Notes

Fixed by: https://github.com/DCMTK/dcmtk/commit/edbb085e45788dccaf0e64d71534cfca925784b8
Search for package or bug name: Reporting problems