OFFIS DCMTK and DICOM Projects

2026-04-07

10:33 DCMTK Bug #1194: OS command injection vulnerability in storescp --exec-on-reception

This issue has been assigned CVE number CVE-2026-5663 (https://vuldb.com/vuln/355486).
Marco Eichelberg

2026-04-04

09:06 DCMTK Bug #1188 (Closed): Assertion failure in JPEG-LS encoder

Closed by commit #08c4c8734.
Marco Eichelberg

2026-03-29

14:51 DCMTK Bug #1198 (Closed): Path Traversal in JSON Bulkdata Loading

Closed by commit #969c4b6f2.
Marco Eichelberg

10:05 DCMTK Bug #1197 (Closed): Uninitialized Memory Read in JSMN Token Array

Closed by commit #ae94a3d75.
Marco Eichelberg

09:03 DCMTK Bug #1196 (Closed): SEGV via OOB Read in DcmJSONReader getTokenContent

Closed by commit #4add0621b (i.e. the same commit that also closed DCMTK issue #1193.) Marco Eichelberg

2026-03-28

20:08 DCMTK Bug #1195 (Closed): Heap OOB Read via PersonName Path in DcmJSONReader

Closed by commit #4add0621b (i.e. the same commit that also closed DCMTK issue #1193.) Marco Eichelberg

18:22 DCMTK Bug #1193 (Closed): Heap OOB Read in DcmJSONReader getTokenContent

Closed by commit #4add0621b.
Marco Eichelberg

2026-03-24

09:21 DCMTK Bug #1194: OS command injection vulnerability in storescp --exec-on-reception

Also see: https://machinespirits.com/advisory/2e1627/
Marco Eichelberg

2026-03-21

18:35 DCMTK Bug #1194 (Closed): OS command injection vulnerability in storescp --exec-on-reception

Closed by DCMTK commit #edbb085e4.
Marco Eichelberg

18:23 DCMTK Bug #1194: OS command injection vulnerability in storescp --exec-on-reception

This vulnerability only affects the @storescp@ command line tool, not the underlying libraries. The vulnerability is ... Marco Eichelberg

2026-03-14

17:40 DCMTK Bug #1194 (Closed): OS command injection vulnerability in storescp --exec-on-reception

Three placeholder tokens used in the shell command execution feature (#f , #p , #r) are derived from attacker-control... Marco Eichelberg