Description
OpenClinic GA 5.351.19 contains a reflected cross-site scripting vulnerability in the DICOM image upload handler that allows attackers to execute arbitrary JavaScript in a victim's browser by embedding malicious payloads in DICOM file metadata fields. Attackers can craft a DICOM file with JavaScript payloads in metadata fields such as Study Description, which are reflected without sanitization in popup.jsp and archiving/uploadfiles_jsp.java when processed through the Upload DICOM images feature.
Published: 2026-06-09
Score: 5.3 Medium
EPSS: n/a
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

OpenClinic GA version 5.351.19 has a reflected cross‑site scripting flaw in the DICOM image upload handler. Injected JavaScript placed in DICOM metadata fields such as Study Description is reflected without sanitization into popup.jsp and archiving/uploadfiles_jsp.java. This allows the attacker to run arbitrary JavaScript in the browser of a user who views the affected pages, resulting in client‑side code execution.

Affected Systems

The vulnerability affects OpenClinic GA from vendor frankverbeke, with the specific affected release being 5.351.19. No additional affected versions are listed in the CVE data.

Risk and Exploitability

The CVSS score is 5.3, denoting medium severity. EPSS information is not available and the flaw is not listed in CISA's KEV catalog, indicating it has not been widely exploited publicly. Exploitation requires a crafted DICOM file to be submitted to the upload handler, after which the malicious payload is reflected directly into a victim's browser when they access the JSP pages that display the metadata. The impact is limited to the client’s browser environment and does not affect the server or network directly.

Generated by OpenCVE AI on June 9, 2026 at 23:02 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Apply an official vendor patch that addresses the reflected XSS flaw in the DICOM upload handler.
  • Restrict access to the DICOM image upload functionality to only authenticated and authorized users to reduce the attack surface.
  • Implement proper input validation and output encoding for all DICOM metadata fields before they are rendered in popup.jsp and archiving/uploadfiles_jsp.java to prevent reflected script execution.

Generated by OpenCVE AI on June 9, 2026 at 23:02 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Tue, 09 Jun 2026 21:45:00 +0000

Type Values Removed Values Added
Description OpenClinic GA 5.351.19 contains a reflected cross-site scripting vulnerability in the DICOM image upload handler that allows attackers to execute arbitrary JavaScript in a victim's browser by embedding malicious payloads in DICOM file metadata fields. Attackers can craft a DICOM file with JavaScript payloads in metadata fields such as Study Description, which are reflected without sanitization in popup.jsp and archiving/uploadfiles_jsp.java when processed through the Upload DICOM images feature.
Title OpenClinic GA 5.351.19 Reflected XSS via DICOM Image Upload Handler
Weaknesses CWE-79
References
Metrics cvssV3_1

{'score': 6.1, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N'}

cvssV4_0

{'score': 5.3, 'vector': 'CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:P/VC:N/VI:N/VA:N/SC:L/SI:L/SA:N'}

Subscriptions

No data.

cve-icon MITRE

Status: PUBLISHED

Assigner: VulnCheck

Published:

Updated: 2026-06-09T21:09:44.921Z

Reserved: 2026-02-06T19:12:03.463Z

Link: CVE-2026-25860

cve-icon Vulnrichment

No data.

cve-icon NVD

Status : Received

Published: 2026-06-09T22:16:22.303

Modified: 2026-06-09T22:16:22.303

Link: CVE-2026-25860

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-06-09T23:15:16Z

Weaknesses