Orthanc-server Orthanc

13 CVEs affecting Orthanc-server Orthanc. Latest disclosed: 2026-04-09. Critical: 4, High: 7.

Top CVEs affecting Orthanc-server Orthanc
CVESeverityScorePublishedSummary
CVE-2026-5443Critical9.82026-04-09A heap buffer overflow vulnerability exists during the decoding of `PALETTE COLOR` DICOM images. Pixel length validation uses 32-bit multiplication for width a…
CVE-2026-5442Critical9.82026-04-09A heap buffer overflow vulnerability exists in the DICOM image decoder. Dimension fields are encoded using Value Representation (VR) Unsigned Long (UL), instea…
CVE-2025-0896Critical9.82025-02-13Orthanc server prior to version 1.5.8 does not enable basic authentication by default when remote access is enabled. This could result in unauthorized access b…
CVE-2026-5445Critical9.12026-04-09An out-of-bounds read vulnerability exists in the `DecodeLookupTable` function within `DicomImageDecoder.cpp`. The lookup-table decoding logic used for `PALETT…
CVE-2023-33466High8.82023-06-29Orthanc before 1.12.0 allows authenticated users with access to the Orthanc API to overwrite arbitrary files on the file system, and in specific deployment sce…
CVE-2026-5440High7.52026-04-09A memory exhaustion vulnerability exists in the HTTP server due to unbounded use of the `Content-Length` header. The server allocates memory directly based on…
CVE-2026-5439High7.52026-04-09A memory exhaustion vulnerability exists in ZIP archive processing. Orthanc automatically extracts ZIP archives uploaded to certain endpoints and trusts metada…
CVE-2026-5438High7.52026-04-09A gzip decompression bomb vulnerability exists when Orthanc processes HTTP request with `Content-Encoding: gzip`. The server does not enforce limits on decompr…
CVE-2026-5437High7.52026-04-09An out-of-bounds read vulnerability exists in `DicomStreamReader` during DICOM meta-header parsing. When processing malformed metadata structures, the parser m…
CVE-2026-5444High7.12026-04-09A heap buffer overflow vulnerability exists in the PAM image parsing logic. When Orthanc processes a crafted PAM image embedded in a DICOM file, image dimensio…
CVE-2026-5441High7.12026-04-09An out-of-bounds read vulnerability exists in the `DecodePsmctRle1` function of `DicomImageDecoder.cpp`. The `PMSCT_RLE1` decompression routine, which decodes…
CVE-2024-22725Medium6.12024-01-24Orthanc versions before 1.12.2 are affected by a reflected cross-site scripting (XSS) vulnerability. The vulnerability was present in the server's error report…
CVE-2025-155812026-02-18Orthanc versions before 1.12.10 are affected by an authorisation logic flaw in the application's HTTP Basic Authentication implementation. Successful exploit…