CISA issued an advisory on June 30, 2026, regarding five vulnerabilities in the DCMTK toolkit, which is vital for managing DICOM images in medical facilities. The most severe issue (CVE-2026-50003) allows attackers to exploit path traversal to write files, with a CVSS score of 9.8. Other vulnerabilities include unauthorized worklist data exposure (CVE-2026-52868, CVSS 8.2) and denial-of-service attacks due to memory leaks (CVE-2026-50254, CVSS 7.5).
All vulnerabilities affect OFFIS DCMTK versions 3.7.0 and earlier, prompting a recommendation to update to the latest build and implement network segmentation as a mitigation strategy.