PatchSiren cyber security CVE debrief
CVE-2026-25860 frankverbeke CVE debrief
CVE-2026-25860 is a reflected cross-site scripting (XSS) vulnerability in OpenClinic GA 5.351.19. The vulnerability exists in the DICOM image upload handler, allowing attackers to execute arbitrary JavaScript in a victim's browser by embedding malicious payloads in DICOM file metadata fields. Attackers can craft a DICOM file with JavaScript payloads in metadata fields such as Study Description, which are reflected without sanitization in popup.jsp and archiving/uploadfiles_jsp.java when processed through the Upload DICOM images feature.
- Vendor
- frankverbeke
- Product
- OpenClinic GA
- CVSS
- MEDIUM 5.3
- CISA KEV
- Not listed in stored evidence
- Original CVE published
- 2026-06-09
- Original CVE updated
- 2026-06-10
- Advisory published
- 2026-06-09
- Advisory updated
- 2026-06-10
Who should care
Users of OpenClinic GA 5.351.19 should be aware of this vulnerability and take steps to mitigate it.
Technical summary
The vulnerability has a CVSS score of 5.3 and a severity of MEDIUM. It was published on [cvePublishedAt](https://www.cve.org/CVERecord?id=CVE-2026-25860) and modified on [cveModifiedAt](https://nvd.nist.gov/vuln/detail/CVE-2026-25860).
Defensive priority
MEDIUM
Recommended defensive actions
- Apply the necessary patches or updates to OpenClinic GA 5.351.19 to fix the reflected XSS vulnerability.
- Ensure that user input is properly sanitized and validated.
- Implement security measures to prevent cross-site scripting (XSS) attacks.
Evidence notes
The vulnerability was discovered by Partywave and reported to CVE.org.
Official resources
CVE-2026-25860 was published on 2026-06-09T22:16:22.303Z and modified on 2026-06-10T19:41:25.327Z.