CVE-2026-25860

CVE Database · CVE-2026-25860

CVE-2026-25860

· MEDIUMDeferred

CVSS v3.1

6.1

CVSS v4.0

5.3

EPSS

0.35%

Published

Jun 9, 2026

Modified

Jun 10, 2026

Public PoC / Exploit (1)

All weaponized →

TrickestTrickest PoC index

Links to public security research (Exploit-DB, Nuclei, Trickest, GitHub) for defensive use only.

Description

OpenClinic GA 5.351.19 contains a reflected cross-site scripting vulnerability in the DICOM image upload handler that allows attackers to execute arbitrary JavaScript in a victim's browser by embedding malicious payloads in DICOM file metadata fields. Attackers can craft a DICOM file with JavaScript payloads in metadata fields such as Study Description, which are reflected without sanitization in popup.jsp and archiving/uploadfiles_jsp.java when processed through the Upload DICOM images feature.

CVSS Vector

CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N

Weaknesses (CWE)

CWE-79

References (3)

https://github.com/partywavesec/CVE-2026-25860

https://www.partywave.site/show/research/cve-2026-25860-openclinic-ga-xss-to-rce

https://www.vulncheck.com/advisories/openclinic-ga-reflected-xss-via-dicom-image-upload-handler

KEV Catalog EPSS Scores Vendors All CVEs