Description
A flaw has been found in OFFIS DCMTK up to 3.7.0. The affected element is the function XMLNode::parseFile in the library ofstd/libsrc/ofxml.cc. Executing a manipulation can lead to heap-based buffer overflow. The attack may be performed from remote. The exploit has been published and may be used. This patch is called 1d4b3815c0987840a983160bfc671fef63a3105b. It is best practice to apply a patch to resolve this issue. The vendor was contacted early, responded in a very professional manner and quickly released a fixed version of the affected product.
References (8)
Core 8
Core References
Vdb Entry, Technical Description vdb-entry
technical-description
VDB-372599 | OFFIS DCMTK ofxml.cc parseFile heap-based overflow
https://vuldb.com/vuln/372599
Signature, Permissions Required signature
permissions-required
VDB-372599 | CTI Indicators (IOB, IOC, IOA)
https://vuldb.com/vuln/372599/cti
Third Party Advisory third-party-advisory
CVE-2026-12805 | CVE Analysis and Report
https://vuldb.com/cve/CVE-2026-12805
Third Party Advisory third-party-advisory
Submit #836273 | DCMTK 3.7.0 and below Heap-based Buffer Overflow
https://vuldb.com/submit/836273
Issue Tracking issue-tracking
https://support.dcmtk.org/redmine/issues/1208
Exploit broken-link
exploit
https://medium.com/@faboherrera.fabo/dcmtk-vulnerability-report-201afc687790
Scores
CVSS v3
6.3
EPSS
0.0028
EPSS Percentile
19.5%
Attack Vector
NETWORK
CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:L/I:L/A:L
CISA SSVC
Vulnrichment
Exploitation
poc
Automatable
no
Technical Impact
partial
Details
CWE
CWE-119
CWE-122
Status
published
Products (8)
OFFIS/DCMTK
3.0
OFFIS/DCMTK
3.1
OFFIS/DCMTK
3.2
OFFIS/DCMTK
3.3
OFFIS/DCMTK
3.4
OFFIS/DCMTK
3.5
OFFIS/DCMTK
3.6
OFFIS/DCMTK
3.7.0
Published
Jun 21, 2026
Tracked Since
Jun 22, 2026