DEBIAN-CVE-2026-50003

Source
https://security-tracker.debian.org/tracker/CVE-2026-50003
Import Source
https://storage.googleapis.com/debian-osv/debian-cve-osv/DEBIAN-CVE-2026-50003.json
JSON Data
https://api.osv.dev/v1/vulns/DEBIAN-CVE-2026-50003
Upstream
Published
2026-06-30T22:16:57.190Z
Modified
2026-07-10T04:00:09.364184951Z
Severity
  • 9.3 (Critical) CVSS_V4 - CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X CVSS Calculator
Summary
[none]
Details

A malicious or compromised server can make a DCMTK client using bit-preserving C-GET storage mode write files outside the chosen output directory, using both relative (../) paths and absolute paths.

References

Affected packages

Debian:11 / dcmtk

Package

Name
dcmtk
Purl
pkg:deb/debian/dcmtk?arch=source&distro=bullseye

Affected ranges

Type
ECOSYSTEM
Events
Introduced
0Unknown introduced version / All previous versions are affected

Affected versions

3.*
3.6.5-1
3.6.5-1+deb11u1
3.6.5-1+deb11u2
3.6.5-1+deb11u3
3.6.5-1+deb11u4
3.6.5-1+deb11u5
3.6.5-1+deb11u6
3.6.6-1~ext1
3.6.6-1
3.6.6-2
3.6.6-3
3.6.6-4~bpo11+1
3.6.6-4
3.6.6-5~bpo11+1
3.6.6-5
3.6.7-1
3.6.7-2
3.6.7-3
3.6.7-4
3.6.7-5
3.6.7-6~bpo11+1
3.6.7-6
3.6.7-7
3.6.7-8
3.6.7-9~deb12u1
3.6.7-9~deb12u2
3.6.7-9~deb12u3
3.6.7-9~deb12u4
3.6.7-9
3.6.7-9.1
3.6.7-11
3.6.7-12
3.6.7-13
3.6.7-14
3.6.7-15
3.6.8~git20221024.b8950f9-1
3.6.8~git20221024.b8950f9-2
3.6.8~git20221024.b8950f9-3
3.6.8~git20231027.1549d8c-1
3.6.8~git20231027.1549d8c-2
3.6.8-1
3.6.8-2
3.6.8-3
3.6.8-4
3.6.8-5
3.6.8-6
3.6.8-7
3.6.9-1
3.6.9-2
3.6.9-3
3.6.9-4
3.6.9-5
3.6.9-6
3.7.0-1
3.7.0+really3.6.9-1
3.7.0+really3.7.0-0+exp1
3.7.0+really3.7.0-1
3.7.0+really3.7.0-2
3.7.0+really3.7.0-3
3.7.0+really3.7.0-4
3.7.0+really3.7.0-5
3.7.0+really3.7.0-6
3.7.0+really3.7.0-7

Ecosystem specific

{
    "urgency": "not yet assigned"
}

Database specific

source
"https://storage.googleapis.com/debian-osv/debian-cve-osv/DEBIAN-CVE-2026-50003.json"

Debian:12 / dcmtk

Package

Name
dcmtk
Purl
pkg:deb/debian/dcmtk?arch=source&distro=bookworm

Affected ranges

Type
ECOSYSTEM
Events
Introduced
0Unknown introduced version / All previous versions are affected

Affected versions

3.*
3.6.7-8
3.6.7-9~deb12u1
3.6.7-9~deb12u2
3.6.7-9~deb12u3
3.6.7-9~deb12u4
3.6.7-9
3.6.7-9.1
3.6.7-11
3.6.7-12
3.6.7-13
3.6.7-14
3.6.7-15
3.6.8~git20221024.b8950f9-1
3.6.8~git20221024.b8950f9-2
3.6.8~git20221024.b8950f9-3
3.6.8~git20231027.1549d8c-1
3.6.8~git20231027.1549d8c-2
3.6.8-1
3.6.8-2
3.6.8-3
3.6.8-4
3.6.8-5
3.6.8-6
3.6.8-7
3.6.9-1
3.6.9-2
3.6.9-3
3.6.9-4
3.6.9-5
3.6.9-6
3.7.0-1
3.7.0+really3.6.9-1
3.7.0+really3.7.0-0+exp1
3.7.0+really3.7.0-1
3.7.0+really3.7.0-2
3.7.0+really3.7.0-3
3.7.0+really3.7.0-4
3.7.0+really3.7.0-5
3.7.0+really3.7.0-6
3.7.0+really3.7.0-7

Ecosystem specific

{
    "urgency": "not yet assigned"
}

Database specific

source
"https://storage.googleapis.com/debian-osv/debian-cve-osv/DEBIAN-CVE-2026-50003.json"

Debian:13 / dcmtk

Package

Name
dcmtk
Purl
pkg:deb/debian/dcmtk?arch=source&distro=trixie

Affected ranges

Type
ECOSYSTEM
Events
Introduced
0Unknown introduced version / All previous versions are affected

Affected versions

3.*
3.6.9-5
3.6.9-5+deb13u1
3.6.9-5+deb13u2
3.6.9-6
3.7.0-1
3.7.0+really3.6.9-1
3.7.0+really3.7.0-0+exp1
3.7.0+really3.7.0-1
3.7.0+really3.7.0-2
3.7.0+really3.7.0-3
3.7.0+really3.7.0-4
3.7.0+really3.7.0-5
3.7.0+really3.7.0-6
3.7.0+really3.7.0-7

Ecosystem specific

{
    "urgency": "not yet assigned"
}

Database specific

source
"https://storage.googleapis.com/debian-osv/debian-cve-osv/DEBIAN-CVE-2026-50003.json"

Debian:14 / dcmtk

Package

Name
dcmtk
Purl
pkg:deb/debian/dcmtk?arch=source&distro=forky

Affected ranges

Type
ECOSYSTEM
Events
Introduced
0Unknown introduced version / All previous versions are affected
Fixed
3.7.0+really3.7.0-7

Affected versions

3.*
3.6.9-5
3.6.9-6
3.7.0-1
3.7.0+really3.6.9-1
3.7.0+really3.7.0-0+exp1
3.7.0+really3.7.0-1
3.7.0+really3.7.0-2
3.7.0+really3.7.0-3
3.7.0+really3.7.0-4
3.7.0+really3.7.0-5
3.7.0+really3.7.0-6

Ecosystem specific

{
    "urgency": "not yet assigned"
}

Database specific

source
"https://storage.googleapis.com/debian-osv/debian-cve-osv/DEBIAN-CVE-2026-50003.json"