Cyber Resilience

CVE-2026-5663

Medium

Published: 06 April 2026

Published
06 April 2026
Modified
27 April 2026
KEV Added
Patch
CVSS Score v4 6.9 CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:L/VI:L/VA:L/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
EPSS Score 0.0172 74.5th percentile
Risk Priority 35 floored blend · peak EPSS

Summary

CVE-2026-5663 is a medium-severity Command Injection (CWE-77) vulnerability in Offis Dcmtk. Its CVSS base score is 6.9 (Medium).

Operationally, exploitation aligns with the MITRE ATT&CK technique Exploit Public-Facing Application (T1190); ranked in the top 25.5% of CVEs by exploit likelihood; it is not currently listed in the CISA KEV catalog.

The strongest mitigations our analysis identified are NIST 800-53 SI-10 (Information Input Validation) and SI-2 (Flaw Remediation).

Deeper analysis

A security flaw has been discovered in OFFIS DCMTK up to version 3.7.0, specifically in the executeOnReception and executeOnEndOfStudy functions within dcmnet/apps/storescp.cc of the storescp component. The issue stems from improper handling of input that permits OS command injection, tracked under CWE-77 and CWE-78. The vulnerability received a CVSS 4.0 score of 6.9 with a network attack vector, low complexity, and no required privileges or user interaction.

Remote attackers can exploit the flaw to inject and execute arbitrary operating system commands against affected storescp instances. Successful exploitation grants limited impacts to confidentiality, integrity, and availability on the target system without authentication.

The recommended mitigation is to apply the patch identified by commit edbb085e45788dccaf0e64d71534cfca925784b8, available in the DCMTK repository and referenced in the project's issue tracker. No other workarounds are specified in the available advisories.

EPSS for this CVE rose from a low baseline to a peak of 0.0176 on 2026-04-12 before receding to the current value of 0.0039, indicating a temporary increase in observed exploitation interest after disclosure.

OWASP Top 10 for Web (2025)

EU & UK References

Vulnerability details

A security flaw has been discovered in OFFIS DCMTK up to 3.7.0. This impacts the function executeOnReception/executeOnEndOfStudy of the file dcmnet/apps/storescp.cc of the component storescp. Performing a manipulation results in os command injection. Remote exploitation of the attack is possible.…

more

The patch is named edbb085e45788dccaf0e64d71534cfca925784b8. Applying a patch is the recommended action to fix this issue.

CWE(s)

Related Threats

MITRE ATT&CK Enterprise TechniquesAI

T1190 Exploit Public-Facing Application Initial Access
Adversaries may attempt to exploit a weakness in an Internet-facing host or system to initially access a network.
T1059.004 Unix Shell Execution
Adversaries may abuse Unix shell commands and scripts for execution.
Why these techniques?

Unauthenticated remote OS command injection in public-facing storescp network service enables T1190 (Exploit Public-Facing Application) and facilitates arbitrary Unix shell command execution (T1059.004).

Confidence: HIGH · MITRE ATT&CK Enterprise v19.0

CVEs Like This One

CVE-2024-52333Same product: Offis Dcmtk
CVE-2024-47796Same product: Offis Dcmtk
CVE-2026-7204Shared CWE-77, CWE-78
CVE-2026-2152Shared CWE-77, CWE-78
CVE-2026-5677Shared CWE-77, CWE-78
CVE-2026-2157Shared CWE-77, CWE-78
CVE-2026-7136Shared CWE-77, CWE-78
CVE-2026-7121Shared CWE-77, CWE-78
CVE-2026-9387Shared CWE-77, CWE-78
CVE-2026-9477Shared CWE-77, CWE-78

Affected Assets

offis
dcmtk
≤ 3.7.0

Mitigating Controls

Mitigating Controls (NIST 800-53 r5) AI

prevent

Directly remediates the OS command injection vulnerability in DCMTK storescp by requiring timely patching of the specific flaw via commit edbb085e45788dccaf0e64d71534cfca925784b8.

prevent

Prevents remote exploitation of the command injection by enforcing validation of manipulated inputs to executeOnReception and executeOnEndOfStudy functions in storescp.cc.

prevent

Limits the impact of arbitrary OS command execution by ensuring the storescp process operates with least privilege, reducing potential damage from exploitation.

References