‹ Back to ICS Advisories

pydicom pynetdicom Library

CRITICAL

CVSS 9.1

Date 2026-06-25T06:00:00+00:00

Source cisa-csaf

Published by CISA

// Description

Successful exploitation of this vulnerability could allow an unauthenticated attacker to write to arbitrary file paths.

// Vulnerabilities (1)

CVE ID	CVSS Score	Severity	Description
CVE-2026-56445	9.1	critical	The qrscp application's C-STORE handler uses a specific instance from attacker-supplied DICOM datasets directly in os.path.join() without sanitization, allowing file writes to arbitrary paths.

// Remediations (1)

Patch: The maintainer of pynetdicom has not responded to requests to work with CISA to mitigate this vulner

The maintainer of pynetdicom has not responded to requests to work with CISA to mitigate this vulnerability. For update information, refer to the github page https://github.com/pydicom/pynetdicom.

// References

CISA ICSMA-26-176-01
CISA https://raw.githubusercontent.com/cisagov/CSAF/develop/csaf_files/OT/white/2026/icsma-26-176-01.json
CISA https://www.cisa.gov/news-events/ics-medical-advisories/icsma-26-176-01
CISA https://www.cisa.gov/uscert/ics/alerts/ICS-ALERT-10-301-01
CISA https://www.cisa.gov/resources-tools/resources/ics-recommended-practices
CISA https://www.cisa.gov/sites/default/files/publications/Cybersecurity_Best_Practices_for_Industrial_Control_Systems.pdf
CISA https://www.cisa.gov/topics/industrial-control-systems
CISA https://www.cisa.gov/news-events/ics-alerts/ics-alert-10-301-01
CISA https://www.cisa.gov/sites/default/files/recommended_practices/NCCIC_ICS-CERT_Defense_in_Depth_2016_S508C.pdf
CISA https://www.cisa.gov/news-events/news/targeted-cyber-intrusion-detection-and-mitigation-strategies-update-b
CISA https://www.cisa.gov/secure-our-world/teach-employees-avoid-phishing
CISA https://www.cisa.gov/news-events/news/avoiding-social-engineering-and-phishing-attacks