CVE-2026-5663

HighUpdated

Published: 06 April 2026

Published

06 April 2026

Modified

27 April 2026

KEV Added

—

Patch

—

CVSS Score 7.3 CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:L

EPSS Score 0.0039 60.3th percentile

Risk Priority 15 60% EPSS · 20% KEV · 20% CVSS

Summary

CVE-2026-5663 is a high-severity Command Injection (CWE-77) vulnerability in Offis Dcmtk. Its CVSS base score is 7.3 (High).

Operationally, exploitation aligns with the MITRE ATT&CK technique Exploit Public-Facing Application (T1190); ranked in the top 39.7% of CVEs by exploit likelihood; it is not currently listed in the CISA KEV catalog.

The strongest mitigations our analysis identified are NIST 800-53 SI-10 (Information Input Validation) and SI-2 (Flaw Remediation).

Threat & Defense at a Glance

What attackers do: exploitation maps to Exploit Public-Facing Application (T1190) and 1 other technique. What defenders deploy: see the NIST 800-53 controls recommended below.

Threat & Defense Details

Mitigating Controls (NIST 800-53 r5)AI

SI-2 Flaw Remediation good match

prevent

Directly remediates the OS command injection vulnerability in DCMTK storescp by requiring timely patching of the specific flaw via commit edbb085e45788dccaf0e64d71534cfca925784b8.

SI-10 Information Input Validation good match

prevent

Prevents remote exploitation of the command injection by enforcing validation of manipulated inputs to executeOnReception and executeOnEndOfStudy functions in storescp.cc.

AC-6 Least Privilege partial match

prevent

Limits the impact of arbitrary OS command execution by ensuring the storescp process operates with least privilege, reducing potential damage from exploitation.

MITRE ATT&CK Enterprise TechniquesAI

T1190 Exploit Public-Facing Application Initial Access

Adversaries may attempt to exploit a weakness in an Internet-facing host or system to initially access a network.

attack.mitre.org →

T1059.004 Unix Shell Execution

Adversaries may abuse Unix shell commands and scripts for execution.

attack.mitre.org →

Why these techniques?

Unauthenticated remote OS command injection in public-facing storescp network service enables T1190 (Exploit Public-Facing Application) and facilitates arbitrary Unix shell command execution (T1059.004).

Confidence: HIGH · MITRE ATT&CK Enterprise v19.0

NVD Description

A security flaw has been discovered in OFFIS DCMTK up to 3.7.0. This impacts the function executeOnReception/executeOnEndOfStudy of the file dcmnet/apps/storescp.cc of the component storescp. Performing a manipulation results in os command injection. Remote exploitation of the attack is possible.…

The patch is named edbb085e45788dccaf0e64d71534cfca925784b8. Applying a patch is the recommended action to fix this issue.

Deeper analysisAI

CVE-2026-5663 is an OS command injection vulnerability affecting OFFIS DCMTK versions up to 3.7.0. The flaw resides in the storescp component, specifically within the executeOnReception and executeOnEndOfStudy functions in the file dcmnet/apps/storescp.cc. It is classified under CWE-77 and CWE-78, with a CVSS v3.1 base score of 7.3 (AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:L), indicating high severity due to its network accessibility and lack of prerequisites.

Remote attackers can exploit this vulnerability without authentication by manipulating inputs to the affected functions, leading to arbitrary OS command execution on the target system. Successful exploitation grants limited impact on confidentiality, integrity, and availability, potentially allowing attackers to run commands in the context of the storescp process.

Mitigation is addressed by applying the patch commit edbb085e45788dccaf0e64d71534cfca925784b8 available in the DCMTK GitHub repository. Additional details are provided in advisories from support.dcmtk.org (issue 1194), machinespirits.com, and vuldb.com entries.

Details

CWE(s): CWE-77 CWE-78

Affected Products

offis

dcmtk

≤ 3.7.0

CVEs Like This One

CVE-2024-47796Same product: Offis Dcmtk

CVE-2024-52333Same product: Offis Dcmtk

CVE-2025-9387Shared CWE-77, CWE-78

CVE-2026-6112Shared CWE-77, CWE-78

CVE-2026-8191Shared CWE-77, CWE-78

CVE-2026-6131Shared CWE-77, CWE-78

CVE-2026-7121Shared CWE-77, CWE-78

CVE-2025-1608Shared CWE-77, CWE-78

CVE-2026-27811Shared CWE-77, CWE-78

CVE-2025-2094Shared CWE-77, CWE-78

References

https://github.com/DCMTK/dcmtk/commit/edbb085e45788dccaf0e64d71534cfca925784b8
Patch · cna@vuldb.com
https://machinespirits.com/advisory/2e1627/
Mitigation, Third Party Advisory · cna@vuldb.com
https://support.dcmtk.org/redmine/issues/1194
Issue Tracking, Third Party Advisory · cna@vuldb.com
https://vuldb.com/submit/786061
Third Party Advisory, VDB Entry · cna@vuldb.com
https://vuldb.com/vuln/355486
Third Party Advisory, VDB Entry · cna@vuldb.com
https://vuldb.com/vuln/355486/cti
Permissions Required, VDB Entry · cna@vuldb.com