CVE Catalog

CVE-2026-25860

MediumCVSS 6.1
Published: Updated: Translated: NVD NIST

Exploitation Probability (EPSS)

Low risk
0.01%

1th percentile - higher than 1% of all known CVEs

Summary

OpenClinic GA version 5.351.19 contains a reflected cross-site scripting vulnerability in the DICOM image upload handler that allows attackers to execute arbitrary JavaScript in a victim's browser. Attackers can craft a DICOM file with malicious payloads in metadata fields that are reflected without sanitization.

Risk Assessment

This vulnerability could lead to user data theft or session hijacking, posing a serious security threat to the organization.

Recommendation

It is recommended to update OpenClinic GA to the latest version and implement input sanitization mechanisms in the DICOM image upload handling.

Original NVD description (English source)

OpenClinic GA 5.351.19 contains a reflected cross-site scripting vulnerability in the DICOM image upload handler that allows attackers to execute arbitrary JavaScript in a victim's browser by embedding malicious payloads in DICOM file metadata fields. Attackers can craft a DICOM file with JavaScript payloads in metadata fields such as Study Description, which are reflected without sanitization in popup.jsp and archiving/uploadfiles_jsp.java when processed through the Upload DICOM images feature.

Vulnerability data from NVD (NIST) · CISA KEV · EPSS