THU 02 JUL 2026 · GMT EDITION A WHITESTONE INTELLIGENCE PUBLICATION
MARKETS · CYBER · MEMOS · MODELS
DAILY ISSUES26 MAY27 MAY28 MAY29 MAY30 MAY31 MAY01 JUN02 JUN03 JUN04 JUN05 JUN06 JUN07 JUN08 JUN09 JUN10 JUN11 JUN12 JUN13 JUN14 JUN15 JUN16 JUN17 JUN18 JUN19 JUN21 JUN22 JUN23 JUN24 JUN25 JUN26 JUN27 JUN28 JUN29 JUN30 JUN01 JUN02 JUNALL ›
FRONT PAGE / CYBER / CYB-2026-06-25-F2
CYBER · ransomware threat groups · 2026-06-25SCOOP 69

Path Traversal in pynetdicom Allows Unauthenticated Arbitrary File Write (CVE-2026-56445, CVSS 9.1)

CISA's June 25 medical advisory flags CVE-2026-56445, a path traversal flaw in the pydicom project's pynetdicom library (versions 1.0.0 and later) rated CVSS v3 9.1.

·FILED ISSUE 2026-06-25·2 MIN READ·RE-VERIFIED 2026-07-02 UTC·✓ RE-VERIFIED 2026-07-02

At a glance

  • CVE-2026-56445 is a path traversal vulnerability in pynetdicom (>= v1.0.0) rated CVSS v3 9.1.
  • An unauthenticated attacker could write to arbitrary file paths via the qrscp application's C-STORE handler.
  • The flaw stems from using attacker-supplied DICOM dataset values directly in file paths.

VERDICT — CONFIRMED

pipeline-backfill confidence · primary + corroborating sources verified · re-verified 2026-07-02 UTC
Cyber desk illustration
Generated desk illustration · The Dossier Wire · not a photograph

A path traversal flaw in the pydicom project's pynetdicom library, tracked as CVE-2026-56445 and rated CVSS v3 9.1, allows an unauthenticated attacker to write to arbitrary file paths, per a CISA medical advisory published June 25.

The vulnerability affects pynetdicom versions 1.0.0 and later, per the advisory. It stems from the qrscp application's C-STORE handler using values from attacker-supplied DICOM datasets directly in file paths — letting a remote party who can reach the service dictate where files are written on the host.

The library is deployed worldwide in the healthcare and public health sector, per CISA. Fixed versions, researcher credit and any evidence of in-the-wild exploitation were not carried in the feed and remain unverified here.

Background

pydicom is a long-established open-source Python ecosystem for working with DICOM, the standard format and network protocol for medical imaging. pynetdicom implements DICOM's networking layer, and its bundled qrscp application provides the query, retrieve and storage functions of a small imaging archive. Components of this kind are woven through research pipelines, hospital tooling and vendor products, which is why flaws in them propagate far beyond any single installation.

C-STORE is the DICOM operation by which one system transmits an image object to another for storage. Path traversal arises when input that should name a file within a bounded directory is allowed to contain path components that escape it. An arbitrary file write on a server is frequently a stepping stone to full code execution, since attackers can target startup scripts, scheduled tasks or web-accessible directories.

A 9.1 CVSS rating combined with no authentication requirement places the flaw in the range typically treated as urgent for internet-reachable or poorly segmented deployments — a common condition in healthcare networks that have grown by accretion.

What comes next

The next step for deployers, per standard advisory practice, is to update pynetdicom where a fix is available, restrict network access to DICOM services, and audit hosts running qrscp for unexpected files. Watch the CISA advisory for updates, including the fixed-version details absent from the material here.

Key facts on file

  • CVE-2026-56445 is a path traversal vulnerability in pynetdicom (>= v1.0.0) rated CVSS v3 9.1.
  • An unauthenticated attacker could write to arbitrary file paths via the qrscp application's C-STORE handler.
  • The flaw stems from using attacker-supplied DICOM dataset values directly in file paths.

OFFICIAL RECORD

CISA — Cybersecurity Advisories
— (2026-06-25) · fetched at filing · archived at publication

Sources · two-source rule

PRIMARY · DOCCISA — Cybersecurity Advisories— (2026-06-25)
Share
Filed by the Cyber desk · verified by the verification desk · re-verified 2026-07-02 · Our standards: the two-source rule ›
CITE THIS FILE — The Dossier Wire · cyb-2026-06-25-f2 · filed 2026-06-25 · https://thedwire.com/wire/cyb-2026-06-25-f2-path-traversal-in-pynetdicom-allows-unauthenticated.html · Primary and corroborating sources listed above; archived at publication. Republishing & licensing: hello@thedwire.com.
More from Cyber FULL DESK ›
Cyber desk illustration
Generated desk illustration · not a photograph
CYBER · SCOOP 60

CISA Guidance: Using SASE in a Modern TIC 3.0 Solution

CISA published guidance titled "The Journey to Zero Trust — Using Secure Access Service Edge in a Modern TIC 3.0 Solution," detailing how the Trusted Internet Connections 3.0 initiative helps agencies modernize how users connect to applications, data and services. Federal agencies are the target audience, but CISA says the guidance also a

✓ verifiednewSOURCE ↗
READ THE FILE ›
Cyber desk illustration
Generated desk illustration · not a photograph
CYBER · SCOOP 55

Attackers Exploit Cisco Unified CM Flaw Weeks After Patch Release

CSO Online reported on June 24 that CVE-2026-20230, a critical Cisco Unified CM vulnerability with a CVSS base score of 8.6 that can grant attackers root access, is now under active exploitation. Threat intelligence firm Defused reported the activity on June 23 after observing it over the weekend, describing exploitation from a single sou

✓ verifiednewSOURCE ↗
READ THE FILE ›
CISA Warns of Actively Exploited Microsoft SharePoint Vulnerability
Generated illustration · not a photograph
CYBER · SCOOP 99

CISA Warns of Actively Exploited Microsoft SharePoint Vulnerability

U.S. Cybersecurity and Infrastructure Security Agency (CISA) adds a Microsoft SharePoint Server flaw to its Known Exploited Vulnerabilities catalog. The U.S. Cybersecurity and Infrastructure Security Agency (CISA) added a Microsoft SharePoint Server flaw, tracked as CVE-2026-45659 (CVSS score v3.1 of 8.8), to its Known Exploited Vulnerabi

exclusive✓ verifiednewSOURCE ↗
READ THE FILE ›

The morning wire in your inbox — every brief, primary sources linked, no noise.

Free tier. The Wire — continuous desk briefs · Records archive · Bureau alerts.

Stored to the wire's subscriber list. No spam, unsubscribe any time.