OFFIS DCMTK ofxml.cc parseFile heap-based overflow_CVE-2026-12805

5.3 / 10

MEDIUM

CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:P/VC:L/VI:L/VA:L/SC:N/SI:N/SA:N/E:P

Description

A flaw has been found in OFFIS DCMTK up to 3.7.0. The affected element is the function XMLNode::parseFile in the library ofstd/libsrc/ofxml.cc. Executing a manipulation can lead to heap-based buffer overflow. The attack may be performed from remote. The exploit has been published and may be used. This patch is called 1d4b3815c0987840a983160bfc671fef63a3105b. It is best practice to apply a patch to resolve this issue. The vendor was contacted early, responded in a very professional manner and quickly released a fixed version of the affected product.

Basic Information

ID CVE-2026-12805

Source VulDB

Published Jun 21, 2026 at 19:15

Affected Product

Vendor OFFIS

Product DCMTK

Version 3.0

Affected Versions OFFIS DCMTK 3.0
OFFIS DCMTK 3.1
OFFIS DCMTK 3.2
OFFIS DCMTK 3.3
OFFIS DCMTK 3.4
OFFIS DCMTK 3.5
OFFIS DCMTK 3.6
OFFIS DCMTK 3.7.0

CWE Classification

CWE-122 CWE-119

References

{
    "lastseen": "",
    "description": "A flaw has been found in OFFIS DCMTK up to 3.7.0. The affected element is the function XMLNode::parseFile in the library ofstd/libsrc/ofxml.cc. Executing a manipulation can lead to heap-based buffer overflow. The attack may be performed from remote. The exploit has been published and may be used. This patch is called 1d4b3815c0987840a983160bfc671fef63a3105b. It is best practice to apply a patch to resolve this issue. The vendor was contacted early, responded in a very professional manner and quickly released a fixed version of the affected product.",
    "published": "2026-06-21T19:15:07.079Z",
    "modified": "2026-06-21T19:15:07.079Z",
    "type": "cve",
    "title": "OFFIS DCMTK ofxml.cc parseFile heap-based overflow",
    "source": "VulDB",
    "references": "https://vuldb.com/vuln/372599\nhttps://vuldb.com/vuln/372599/cti\nhttps://vuldb.com/cve/CVE-2026-12805\nhttps://vuldb.com/submit/836273\nhttps://support.dcmtk.org/redmine/issues/1208\nhttps://git.dcmtk.org/?p=dcmtk.git;a=commit;h=1d4b3815c0987840a983160bfc671fef63a3105b\nhttps://medium.com/@faboherrera.fabo/dcmtk-vulnerability-report-201afc687790\nhttps://github.com/DCMTK/dcmtk/commit/1d4b3815c0987840a983160bfc671fef63a3105b",
    "id": "CVE-2026-12805",
    "bulletinFamily": "",
    "cwe": [
        "CWE-122",
        "CWE-119"
    ],
    "cvelist": null,
    "sourceData": "OFFIS DCMTK 3.0\nOFFIS DCMTK 3.1\nOFFIS DCMTK 3.2\nOFFIS DCMTK 3.3\nOFFIS DCMTK 3.4\nOFFIS DCMTK 3.5\nOFFIS DCMTK 3.6\nOFFIS DCMTK 3.7.0",
    "sourceHref": "",
    "cvss": {
        "score": 5.3,
        "severity": "MEDIUM",
        "vector": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:P/VC:L/VI:L/VA:L/SC:N/SI:N/SA:N/E:P",
        "version": "4.0"
    },
    "cvss2": [],
    "cvss3": {
        "version": "",
        "vectorString": "",
        "baseScore": 0,
        "baseSeverity": "",
        "attackVector": "",
        "attackComplexity": "",
        "privilegesRequired": "",
        "userInteraction": "",
        "scope": "",
        "confidentialityImpact": "",
        "integrityImpact": "",
        "availabilityImpact": "",
        "cvssV3": {
            "version": "",
            "vectorString": "",
            "baseScore": 0,
            "baseSeverity": "",
            "attackVector": "",
            "attackComplexity": "",
            "privilegesRequired": "",
            "userInteraction": "",
            "scope": "",
            "confidentialityImpact": "",
            "integrityImpact": "",
            "availabilityImpact": ""
        }
    },
    "href": "",
    "category_name": "CVE",
    "post_link": "",
    "product": "DCMTK",
    "version": "3.0",
    "vendor": "OFFIS",
    "ai_description": "",
    "ai_severity": "",
    "ai_vendor": "",
    "ai_product": "",
    "ai_version": "",
    "ai_score": 0
}