CVE-2026-25860

MEDIUM NVD

CVSS Score 6.1

Severity MEDIUM

Published Jun 09, 2026

Vendor unknown

Description

OpenClinic GA 5.351.19 contains a reflected cross-site scripting vulnerability in the DICOM image upload handler that allows attackers to execute arbitrary JavaScript in a victim's browser by embedding malicious payloads in DICOM file metadata fields. Attackers can craft a DICOM file with JavaScript payloads in metadata fields such as Study Description, which are reflected without sanitization in popup.jsp and archiving/uploadfiles_jsp.java when processed through the Upload DICOM images feature.

References

https://github.com/partywavesec/CVE-2026-25860
https://www.partywave.site/show/research/cve-2026-25860-openclinic-ga-xss-to-rce
https://www.vulncheck.com/advisories/openclinic-ga-reflected-xss-via-dicom-image-upload-handler