VYPR

dcmtk

by Debian

CVEs (5)

  • CVE-2026-52868Jul 4, 2026
    risk 0.00cvss epss 0.00

    An unauthenticated attacker can read worklist records from a directory outside the intended per-AE worklist storage area. In a multi-area deployment, this can cross departmental or clinic data separation.

  • CVE-2026-50003Jul 4, 2026
    risk 0.00cvss epss 0.00

    A malicious or compromised server can make a DCMTK client using bit-preserving C-GET storage mode write files outside the chosen output directory, using both relative (../) paths and absolute paths.

  • CVE-2026-44628Jul 4, 2026
    risk 0.00cvss epss 0.00

    An unauthenticated attacker can crash the worklist server with a single crafted query when the server has a valid Called AE Title / storage directory, the expected lockfile, and at least one matching worklist record.

  • CVE-2026-35505Jul 4, 2026
    risk 0.00cvss epss 0.00

    An unauthenticated remote attacker can repeatedly send crafted connection requests to leak memory. In single-process deployments the memory grows until the service is killed and the port stops responding until restart.

  • CVE-2026-50254Jul 4, 2026
    risk 0.00cvss epss 0.00

    An unauthenticated remote attacker can repeatedly send a single crafted connection request to leak memory. Against storescp in its default single-process mode, memory grows quickly and the service is eventually killed, after which it stops accepting connections until an operator…