CVE-2026-25860
Description
OpenClinic GA <=5.351.19 contains a reflected XSS in the DICOM upload handler, allowing JavaScript injection via metadata fields.
AI Insight
LLM-synthesized narrative grounded in this CVE's description and references.
OpenClinic GA <=5.351.19 contains a reflected XSS in the DICOM upload handler, allowing JavaScript injection via metadata fields.
Vulnerability
OpenClinic GA versions up to and including 5.351.19 contain a reflected cross-site scripting vulnerability in the DICOM image upload handler. The archiving/uploadfiles.jsp script processes uploaded DICOM files and renders metadata fields such as StudyDescription without proper output encoding [1][2][3]. This allows an attacker to inject arbitrary JavaScript into the web page when the uploaded file is processed.
Exploitation
An attacker can craft a malicious DICOM file containing JavaScript payloads in metadata fields like StudyDescription. The attacker then needs to convince an authenticated victim to upload this DICOM file via the Upload DICOM images feature. When the server reflects the metadata in popup.jsp or uploadfiles.jsp, the payload executes in the victim's browser [1][2].
Impact
Successful exploitation leads to arbitrary JavaScript execution in the context of the victim's session, potentially allowing the attacker to perform actions such as modifying configuration settings or exfiltrating data. Reference [1] describes chaining this XSS with other functionality to achieve remote code execution via storePicture.jsp parameter manipulation.
Mitigation
As of the publication date, no official patch has been released by the vendor. Users are advised to restrict access to the DICOM upload feature to trusted users only, and to consider input validation or output encoding modifications as a temporary workaround. The vulnerability affects OpenClinic GA <=5.351.19 [2][3].
AI Insight generated on Jun 11, 2026. Synthesized from this CVE's description and the cited reference URLs; citations are validated against the source bundle.
Affected products
2- Range: =5.351.19
Patches
0No patches discovered yet.
Vulnerability mechanics
Root cause
"The DICOM image upload handler reflects metadata fields without sanitization, leading to cross-site scripting."
Attack vector
An attacker can craft a DICOM file containing JavaScript payloads within metadata fields, such as the Study Description [ref_id=1]. When this malicious DICOM file is uploaded via the "Upload DICOM images" feature, the application processes the metadata. Subsequently, these un-sanitized metadata fields are reflected in the `popup.jsp` and `archiving/uploadfiles_jsp.java` components, triggering the execution of arbitrary JavaScript in the victim's browser [ref_id=1, ref_id=2]. This vulnerability is classified as a reflected cross-site scripting (XSS) flaw [ref_id=2].
Affected code
The vulnerability resides within the DICOM image upload handler, specifically in the `web/archiving/uploadfiles.jsp` file. The code snippet indicates that fields like `Tag.StudyDescription` are processed and reflected without adequate sanitization, leading to the cross-site scripting vulnerability [ref_id=1]. The older version of the affected file was named `uploadfiles_jsp.java` [ref_id=1].
What the fix does
The advisory does not specify a patch or provide details on how the vulnerability is remediated. Therefore, the exact changes made to fix this issue are not available. Users are advised to consult vendor advisories for the latest information on mitigation or patches.
Preconditions
- inputThe attacker must craft a DICOM file with malicious JavaScript payloads in metadata fields like Study Description.
- networkThe victim must visit a page that processes the uploaded DICOM file.
- authNo authentication is required for the attacker to exploit this vulnerability.
Reproduction
Create a malicious DICOM file by modifying the StudyDescription with HTML code. Upload this file using the "Upload DICOM images" feature. Observe the execution of JavaScript payloads in the `popup.jsp` or `archiving/uploadfiles_jsp.java` components [ref_id=1].
Generated on Jun 9, 2026. Inputs: CWE entries + fix-commit diffs from this CVE's patches. Citations validated against bundle.
References
2News mentions
0No linked articles in our index yet.