CVE-2026-5663

High

Published: 06 April 2026

Published

06 April 2026

Modified

27 April 2026

KEV Added

—

Patch

—

CVSS Score 7.3 CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:L

EPSS Score 0.0039 60.2th percentile

Risk Priority 15 60% EPSS · 20% KEV · 20% CVSS

Description

A security flaw has been discovered in OFFIS DCMTK up to 3.7.0. This impacts the function executeOnReception/executeOnEndOfStudy of the file dcmnet/apps/storescp.cc of the component storescp. Performing a manipulation results in os command injection. Remote exploitation of the attack is possible.…

The patch is named edbb085e45788dccaf0e64d71534cfca925784b8. Applying a patch is the recommended action to fix this issue.

Mitigating Controls (NIST 800-53 r5)AI

SI-2 Flaw Remediation good match

prevent

Directly remediates the OS command injection vulnerability in DCMTK storescp by requiring timely patching of the specific flaw via commit edbb085e45788dccaf0e64d71534cfca925784b8.

SI-10 Information Input Validation good match

prevent

Prevents remote exploitation of the command injection by enforcing validation of manipulated inputs to executeOnReception and executeOnEndOfStudy functions in storescp.cc.

AC-6 Least Privilege partial match

prevent

Limits the impact of arbitrary OS command execution by ensuring the storescp process operates with least privilege, reducing potential damage from exploitation.

Security SummaryAI

CVE-2026-5663 is an OS command injection vulnerability affecting OFFIS DCMTK versions up to 3.7.0. The flaw resides in the storescp component, specifically within the executeOnReception and executeOnEndOfStudy functions in the file dcmnet/apps/storescp.cc. It is classified under CWE-77 and CWE-78, with a CVSS v3.1 base score of 7.3 (AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:L), indicating high severity due to its network accessibility and lack of prerequisites.

Remote attackers can exploit this vulnerability without authentication by manipulating inputs to the affected functions, leading to arbitrary OS command execution on the target system. Successful exploitation grants limited impact on confidentiality, integrity, and availability, potentially allowing attackers to run commands in the context of the storescp process.

Mitigation is addressed by applying the patch commit edbb085e45788dccaf0e64d71534cfca925784b8 available in the DCMTK GitHub repository. Additional details are provided in advisories from support.dcmtk.org (issue 1194), machinespirits.com, and vuldb.com entries.

Details

CWE(s): CWE-77 CWE-78

Affected Products

offis

dcmtk

≤ 3.7.0

MITRE ATT&CK Enterprise TechniquesAI

T1190 Exploit Public-Facing Application Initial Access

Adversaries may attempt to exploit a weakness in an Internet-facing host or system to initially access a network.

attack.mitre.org →

T1059.004 Unix Shell Execution

Adversaries may abuse Unix shell commands and scripts for execution.

attack.mitre.org →

Why these techniques?

Unauthenticated remote OS command injection in public-facing storescp network service enables T1190 (Exploit Public-Facing Application) and facilitates arbitrary Unix shell command execution (T1059.004).

Confidence: HIGH · MITRE ATT&CK Enterprise v19.0

References

https://github.com/DCMTK/dcmtk/commit/edbb085e45788dccaf0e64d71534cfca925784b8
Patch · cna@vuldb.com
https://machinespirits.com/advisory/2e1627/
Mitigation, Third Party Advisory · cna@vuldb.com
https://support.dcmtk.org/redmine/issues/1194
Issue Tracking, Third Party Advisory · cna@vuldb.com
https://vuldb.com/submit/786061
Third Party Advisory, VDB Entry · cna@vuldb.com
https://vuldb.com/vuln/355486
Third Party Advisory, VDB Entry · cna@vuldb.com
https://vuldb.com/vuln/355486/cti
Permissions Required, VDB Entry · cna@vuldb.com