CVE-2026-25860: OpenClinic GA DICOM Upload XSS Vulnerability (CVSS 6.1)
OpenClinic GA version 5.351.19 contains a reflected cross-site scripting (XSS) vulnerability in its DICOM image upload functionality. An attacker can craft a malicious DICOM medical image file containing JavaScript code in metadata fields like Study Description. When a user uploads and processes this file through the application's DICOM upload feature, the embedded script executes in their browser without restriction, potentially allowing the attacker to steal session cookies, redirect users to malicious sites, or perform unauthorized actions on behalf of the victim.
Source data · NVD / CISA · public domain
- CVSS
- 3.1 · 6.1 MEDIUM · CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N
- Weaknesses (CWE)
- CWE-79
- Affected products
- 0 configuration(s)
- Published / Modified
- 2026-06-09 / 2026-06-17
NVD description (verbatim)
OpenClinic GA 5.351.19 contains a reflected cross-site scripting vulnerability in the DICOM image upload handler that allows attackers to execute arbitrary JavaScript in a victim's browser by embedding malicious payloads in DICOM file metadata fields. Attackers can craft a DICOM file with JavaScript payloads in metadata fields such as Study Description, which are reflected without sanitization in popup.jsp and archiving/uploadfiles_jsp.java when processed through the Upload DICOM images feature.
3 reference(s) · View on NVD →
SEC.co analysis · AI-assisted, reviewed against source
Technical summary
The vulnerability exists in OpenClinic GA's DICOM image upload handler, specifically in the popup.jsp and archiving/uploadfiles_jsp.java components. When DICOM files are processed, metadata fields (such as Study Description) are reflected directly into the HTTP response without proper HTML encoding or sanitization. An attacker can embed JavaScript payloads in these DICOM metadata fields using standard DICOM formatting tools. Upon upload and display by a victim user, the browser executes the unescaped script in the context of the OpenClinic GA application domain, achieving reflected XSS. The vulnerability requires user interaction (file upload) but not authentication, and the impact crosses security boundaries (CWE-79 classification confirms improper neutralization of input during web page generation).
Business impact
This vulnerability poses a direct threat to healthcare organizations using OpenClinic GA. A successful attack could compromise clinician sessions, expose patient data in transit, or manipulate displayed medical information during diagnosis workflow. Since medical imaging upload is part of routine clinical operations, the attack surface is wide—any user with upload privileges or any user deceived into uploading a crafted file becomes a vector. The reflected nature means attackers can distribute malicious DICOM files via email or file-sharing platforms targeting specific healthcare facilities. Reputational damage and regulatory exposure (HIPAA, GDPR implications for patient data handling) add to operational risk.
Affected systems
OpenClinic GA version 5.351.19 is confirmed affected. The vulnerability impacts the DICOM upload feature, which is typically used by radiologists, medical technicians, and clinical staff managing diagnostic imaging workflows. Any deployment of this version exposing the upload interface to network users (including internal networks with compromised user accounts) is at risk. No patch version information is provided in the advisory; verify current and target versions against the vendor's security bulletins.
Exploitability
Exploitability is moderate. The attack requires network access (AV:N) and no special conditions—an attacker can craft a DICOM file offline and distribute it. However, exploitation requires user interaction (UI:R): a victim must upload the file and trigger its processing. The attacker has no authentication requirement (PR:N), lowering the barrier significantly. CVSS score of 6.1 (MEDIUM) reflects this profile. The attack is not listed in the CISA Known Exploited Vulnerabilities (KEV) catalog, meaning no public weaponized exploits or active campaigns have been formally documented, but this does not guarantee absence of threat actor interest.
Remediation
Immediate action: upgrade OpenClinic GA to a patched version released after 2026-06-09. Contact the vendor or consult security advisories for the specific version that addresses CVE-2026-25860. Until patching is possible, implement compensating controls: restrict DICOM upload functionality to authenticated, trusted users only; deploy Web Application Firewall (WAF) rules to detect and block DICOM uploads containing script tags or JavaScript patterns in metadata; monitor upload logs for suspicious file submissions; and educate users not to upload DICOM files from untrusted sources.
Patch guidance
Verify the availability of an updated OpenClinic GA version from the vendor's official channels. The vulnerability was published on 2026-06-09 and modified on 2026-06-17, suggesting a patch may have been released. Apply patches to the DICOM upload components (popup.jsp and archiving/uploadfiles_jsp.java) that properly sanitize or HTML-encode metadata fields before reflection in responses. After patching, test DICOM uploads with benign and intentionally malicious payloads in metadata to confirm the fix. Maintain current patch levels going forward, as medical imaging software faces regular revision cycles.
Detection guidance
Monitor for upload attempts containing unusual characters, HTML tags, or script payloads in DICOM metadata fields using log analysis or SIEM tools. Look for HTTP requests to popup.jsp or uploadfiles_jsp.java that include encoded or unencoded script fragments (e.g., <script>, javascript:, onerror=) in query parameters or POST data. Correlate uploads with subsequent suspicious browser activity from the same user session. Network-level detection: watch for DICOM files traversing your network with metadata containing script-like content. Host-level: review web server and application logs for reflected XSS attack patterns and failed validation events.
Why prioritize this
This vulnerability should be prioritized for patching within your regular maintenance window—not emergency-level, but not deferred. While the CVSS score of 6.1 is MEDIUM and there are no known active exploits in the wild, the healthcare context is critical. Patient data and clinical workflows are at stake, and the low barrier to exploitation (no authentication, network-accessible upload feature) makes it an attractive target for opportunistic attackers or competitors. Early patching reduces dwell time and limits the window for vulnerability discovery by threat actors.
Risk score, explained
CVSS 3.1 score of 6.1 reflects: Network accessibility (AV:N) with low complexity (AC:L) and no privilege requirement (PR:N), which favors attackers. However, user interaction (UI:R) is mandatory—someone must upload the file—which reduces the score. Scope change (S:C) means the XSS can affect other users or contexts beyond the immediate upload session. Confidentiality and Integrity are impacted (C:L, I:L)—attackers can steal or modify data seen by victims—but Availability is not directly harmed (A:N). The score lands in MEDIUM severity, appropriate for a web-based XSS without direct system compromise or widespread availability impact. Organizations relying on OpenClinic GA for critical workflows should treat this as higher internal priority despite the MEDIUM label.
Frequently asked questions
Can an attacker upload a malicious DICOM file to my OpenClinic GA server without a user account?
No, the vulnerability requires a user to upload and process the file. However, the attacker does not need their own account—they can socially engineer a legitimate user (clinician, technician) into uploading a crafted DICOM file, or if the upload interface is exposed without authentication, they can upload directly. The key requirement is that the file be processed in a victim's browser session.
What data can an attacker steal using this XSS vulnerability?
An attacker can steal session cookies, authentication tokens, and any patient data currently displayed in the browser (via JavaScript DOM access). They can also modify displayed images or reports, redirect users to phishing sites, or capture keyboard input. The scope of data exposure depends on what information the DICOM viewer displays and what the victim's account has permission to access.
Is there a workaround if we cannot patch immediately?
Yes. Restrict DICOM upload access to a small, trusted group of users; implement a WAF to block uploads with script payloads in metadata; disable the DICOM upload feature entirely if not essential to your workflow; and educate staff not to upload files from external sources. These are temporary measures—plan to patch as soon as a vendor update is available.
Does this vulnerability affect DICOM file integrity or patient safety?
Not directly. The vulnerability does not corrupt medical image data itself or alter diagnostic information stored on the server. However, it can alter the display of images and reports to a clinician in real-time, potentially causing diagnostic errors if malicious JavaScript modifies rendered content. The primary risk is to session security and data confidentiality, not image integrity on disk.
This analysis is based on the CVE record published 2026-06-09 and modified 2026-06-17. Patch version numbers and vendor-specific remediation steps should be verified directly with OpenClinic GA's official security advisories or vendor support. No active exploits or confirmed attacks using this vulnerability have been documented in CISA's KEV catalog as of the publication date. This explainer is for informational purposes and does not constitute professional security advice; consult your organization's security team or a qualified vendor for deployment-specific guidance. Source: NVD (public-domain), retrieved 2026-07-19. Analysis generated by SEC.co (claude-haiku-4-5).
Weaknesses (CWE)
Related vulnerabilities
- CVE-2018-25384MEDIUMStored XSS in Wikidforum 2.20 Allows Authenticated Attackers to Inject Malicious Scripts
- CVE-2019-25731MEDIUMStored XSS in Zuz Music 2.1 Contact Form
- CVE-2019-25737MEDIUMStored XSS in Live Chat Unlimited 2.8.3 – Admin Session Compromise
- CVE-2019-25739MEDIUMGigToDo 1.3 Stored XSS Vulnerability in Proposal Descriptions
- CVE-2019-25742MEDIUMStored XSS in Zoner Real Estate WordPress Theme 4.1.1 – Admin Account Compromise Risk
- CVE-2019-25743MEDIUMWordPress Soliloquy Lite 2.5.6 Stored XSS Vulnerability
- CVE-2019-25744MEDIUMWordPress Popup Builder 3.49 Stored XSS Vulnerability – Exploit Prevention & Patch Guide
- CVE-2021-47982MEDIUMWP-Paginate 2.1.3 Stored XSS in Plugin Settings