CVE-2018-25142

CRITICAL

NovaRad NovaPACS Diagnostics Viewer <8.5.19.75 - XXE Injection

Title source: llm

Description

NovaRad NovaPACS Diagnostics Viewer 8.5.19.75 contains an unauthenticated XML External Entity (XXE) injection vulnerability in XML preference import settings. Attackers can craft malicious XML files with DTD parameter entities to retrieve arbitrary system files through an out-of-band channel attack.

Exploits (1)

exploitdb WORKING POC

by LiquidWorm · textwebappsxml

https://www.exploit-db.com/exploits/45337

View Code ZIP pw:eip

References (3)

[Various Sources] https://www.novarad.net

[Exploit, Third Party Advisory] https://www.exploit-db.com/exploits/45337

[Third Party Advisory] https://www.zeroscience.mk/en/vulnerabilities/ZSL-2018-5488.php

Scores

CVSS v3 9.8

EPSS 0.0006

EPSS Percentile 20.1%

Attack Vector NETWORK

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

Details

CWE

CWE-611

Status published

Products (1)

NovaRad Corporation/NovaPACS Diagnostics Viewer 8.5.19.75

Published Dec 24, 2025

Tracked Since Feb 18, 2026