CVE-2026-25860
MediumCVSS 6.1Exploitation Probability (EPSS)
Low risk1th percentile - higher than 1% of all known CVEs
Summary
OpenClinic GA version 5.351.19 contains a reflected cross-site scripting vulnerability in the DICOM image upload handler that allows attackers to execute arbitrary JavaScript in a victim's browser. Attackers can craft a DICOM file with malicious payloads in metadata fields that are reflected without sanitization.
Risk Assessment
This vulnerability could lead to user data theft or session hijacking, posing a serious security threat to the organization.
Recommendation
It is recommended to update OpenClinic GA to the latest version and implement input sanitization mechanisms in the DICOM image upload handling.
Original NVD description (English source)
OpenClinic GA 5.351.19 contains a reflected cross-site scripting vulnerability in the DICOM image upload handler that allows attackers to execute arbitrary JavaScript in a victim's browser by embedding malicious payloads in DICOM file metadata fields. Attackers can craft a DICOM file with JavaScript payloads in metadata fields such as Study Description, which are reflected without sanitization in popup.jsp and archiving/uploadfiles_jsp.java when processed through the Upload DICOM images feature.

