Platform
c
Component
dcmtk
Fixed in
3.0.1
3.1.1
3.2.1
3.3.1
3.4.1
3.5.1
3.6.1
3.7.1
CVE-2026-5663 is a Command Injection vulnerability discovered in OFFIS DCMTK versions 3.0.0 to 3.7.0. This flaw allows a remote attacker to execute arbitrary operating system commands by manipulating the executeOnReception/executeOnEndOfStudy function within the storescp component. The vulnerability has been patched in version 3.7.1, and applying this patch is the recommended remediation.
Successful exploitation of CVE-2026-5663 allows an attacker to gain complete control over the system running OFFIS DCMTK. This could involve data exfiltration, system modification, or even pivoting to other systems on the network. The remote nature of the vulnerability significantly increases the attack surface, as an attacker does not require local access to exploit it. The storescp component is often used in medical imaging workflows, potentially exposing sensitive patient data. This vulnerability shares similarities with other command injection flaws where improper input validation leads to arbitrary code execution.
CVE-2026-5663 was publicly disclosed on 2026-04-06. The vulnerability is not currently listed on the CISA KEV catalog, and there are no publicly available proof-of-concept exploits. The EPSS score is pending evaluation. Monitor security advisories and threat intelligence feeds for any indications of active exploitation.
Exploit Status
EPSS
1.76% (83% percentile)
CISA SSVC
CVSS Vector
The primary mitigation for CVE-2026-5663 is to upgrade to DCMTK version 3.7.1 or later, which includes the fix (patch edbb085e45788dccaf0e64d71534cfca925784b8). If immediate upgrading is not feasible, consider implementing input validation on the executeOnReception/executeOnEndOfStudy function to sanitize user-provided data. Web application firewalls (WAFs) configured to detect and block command injection attempts can provide an additional layer of defense. Monitor system logs for suspicious activity related to the storescp process. After upgrading, confirm the fix by attempting to trigger the vulnerable function with a malicious payload and verifying that the command is not executed.
Update to version 3.7.1 or later to mitigate the operating system command injection vulnerability. Apply the patch edbb085e45788dccaf0e64d71534cfca925784b8 to resolve the issue.
Vulnerability analysis and critical alerts directly to your inbox.
CVE-2026-5663 is a Command Injection vulnerability affecting OFFIS DCMTK versions 3.0.0 through 3.7.0, allowing remote attackers to execute OS commands.
You are affected if you are running OFFIS DCMTK versions 3.0.0 to 3.7.0 and have not applied the patch.
Upgrade to DCMTK version 3.7.1 or later. If upgrading is not possible, implement input validation and consider using a WAF.
There are currently no reports of active exploitation, but it's crucial to apply the patch proactively.
Refer to the OFFIS security advisory for detailed information and updates: https://www.dcmtk.org/security/advisories/
Upload your dependency file and we'll tell you instantly if this and other CVEs hit you.