GHSA-fr6h-hjqh-g695MediumCVSS 6.1
OpenClinic GA 5.351.19 contains a reflected cross-site scripting vulnerability in the DICOM image...
🔗 CVE IDs covered (1)
📋 Description
OpenClinic GA 5.351.19 contains a reflected cross-site scripting vulnerability in the DICOM image upload handler that allows attackers to execute arbitrary JavaScript in a victim's browser by embedding malicious payloads in DICOM file metadata fields. Attackers can craft a DICOM file with JavaScript payloads in metadata fields such as Study Description, which are reflected without sanitization in popup.jsp and archiving/uploadfiles_jsp.java when processed through the Upload DICOM images feature.
🔗 References (5)
- https://nvd.nist.gov/vuln/detail/CVE-2026-25860
- https://github.com/partywavesec/CVE-2026-25860
- https://www.partywave.site/show/research/cve-2026-25860-openclinic-ga-xss-to-rce
- https://www.vulncheck.com/advisories/openclinic-ga-reflected-xss-via-dicom-image-upload-handler
- https://github.com/advisories/GHSA-fr6h-hjqh-g695