CVE-2026-25860
CVE-2026-25860
5.3
MediumPublished:
Last updated:
Source:disclosure@vulncheck.com
Deferred
Weakness (CWE)
CVSS Vector
v4.0- Attack Vector
- Network
- Attack Complexity
- Low
- Attack Requirements
- None
- Privileges Required
- None
- User Interaction
- Passive
- Confidentiality (Vulnerable)
- None
- Integrity (Vulnerable)
- None
- Availability (Vulnerable)
- None
- Confidentiality (Subsequent)
- Low
- Integrity (Subsequent)
- Low
- Availability (Subsequent)
- None
Description
OpenClinic GA 5.351.19 contains a reflected cross-site scripting vulnerability in the DICOM image upload handler that allows attackers to execute arbitrary JavaScript in a victim's browser by embedding malicious payloads in DICOM file metadata fields. Attackers can craft a DICOM file with JavaScript payloads in metadata fields such as Study Description, which are reflected without sanitization in popup.jsp and archiving/uploadfiles_jsp.java when processed through the Upload DICOM images feature.
References
disclosure@vulncheck.com
https://github.com/partywavesec/CVE-2026-25860disclosure@vulncheck.com
https://www.partywave.site/show/research/cve-2026-25860-openclinic-ga-xss-to-rcedisclosure@vulncheck.com
https://www.vulncheck.com/advisories/openclinic-ga-reflected-xss-via-dicom-image-upload-handler