CVE-2026-5663
Published: 06 April 2026
Summary
CVE-2026-5663 is a medium-severity Command Injection (CWE-77) vulnerability in Offis Dcmtk. Its CVSS base score is 6.9 (Medium).
Operationally, exploitation aligns with the MITRE ATT&CK technique Exploit Public-Facing Application (T1190); ranked in the top 25.5% of CVEs by exploit likelihood; it is not currently listed in the CISA KEV catalog.
The strongest mitigations our analysis identified are NIST 800-53 SI-10 (Information Input Validation) and SI-2 (Flaw Remediation).
Deeper analysis
A security flaw has been discovered in OFFIS DCMTK up to version 3.7.0, specifically in the executeOnReception and executeOnEndOfStudy functions within dcmnet/apps/storescp.cc of the storescp component. The issue stems from improper handling of input that permits OS command injection, tracked under CWE-77 and CWE-78. The vulnerability received a CVSS 4.0 score of 6.9 with a network attack vector, low complexity, and no required privileges or user interaction.
Remote attackers can exploit the flaw to inject and execute arbitrary operating system commands against affected storescp instances. Successful exploitation grants limited impacts to confidentiality, integrity, and availability on the target system without authentication.
The recommended mitigation is to apply the patch identified by commit edbb085e45788dccaf0e64d71534cfca925784b8, available in the DCMTK repository and referenced in the project's issue tracker. No other workarounds are specified in the available advisories.
EPSS for this CVE rose from a low baseline to a peak of 0.0176 on 2026-04-12 before receding to the current value of 0.0039, indicating a temporary increase in observed exploitation interest after disclosure.
OWASP Top 10 for Web (2025)
EU & UK References
- 🇪🇺 ENISA EUVD: EUVD-2026-19243
Vulnerability details
A security flaw has been discovered in OFFIS DCMTK up to 3.7.0. This impacts the function executeOnReception/executeOnEndOfStudy of the file dcmnet/apps/storescp.cc of the component storescp. Performing a manipulation results in os command injection. Remote exploitation of the attack is possible.…
more
The patch is named edbb085e45788dccaf0e64d71534cfca925784b8. Applying a patch is the recommended action to fix this issue.
- CWE(s)
Related Threats
MITRE ATT&CK Enterprise TechniquesAI
Why these techniques?
Unauthenticated remote OS command injection in public-facing storescp network service enables T1190 (Exploit Public-Facing Application) and facilitates arbitrary Unix shell command execution (T1059.004).
CVEs Like This One
Affected Assets
Mitigating Controls
Mitigating Controls (NIST 800-53 r5) AI
Directly remediates the OS command injection vulnerability in DCMTK storescp by requiring timely patching of the specific flaw via commit edbb085e45788dccaf0e64d71534cfca925784b8.
Prevents remote exploitation of the command injection by enforcing validation of manipulated inputs to executeOnReception and executeOnEndOfStudy functions in storescp.cc.
Limits the impact of arbitrary OS command execution by ensuring the storescp process operates with least privilege, reducing potential damage from exploitation.