Description

pydicom is a pure Python package for working with DICOM files. Versions 2.0.0-rc.1 through 3.0.1 are vulnerable to Path Traversal through a maliciously crafted DICOMDIR ReferencedFileID when it is set to a path outside the File-set root. pydicom resolves the path only to confirm that it exists, but does not verify that the resolved path remains under the File-set root. Subsequent public FileSet operations such as copy(), write(), and remove()+write(use_existing=True) use that unchecked path in file I/O operations. This allows arbitrary file read/copy and, in some flows, move/delete outside the File-set root. This issue has been fixed in version 3.0.2.

INFO

Published Date :

2026-03-20T01:26:15.182Z

Last Modified :

2026-03-20T16:41:56.917Z

Source :

GitHub_M
AFFECTED PRODUCTS

The following products are affected by CVE-2026-32711 vulnerability.

Vendors Products
Pydicom
  • Pydicom
REFERENCES

Here, you will find a curated list of external links that provide in-depth information to CVE-2026-32711.

URL Resource
https://github.com/pydicom/pydicom/commit/6414f01a053dff925578799f5a7208d2ae585e82 cve-icon cve-icon
https://github.com/pydicom/pydicom/releases/tag/v3.0.2 cve-icon cve-icon
https://github.com/pydicom/pydicom/security/advisories/GHSA-v856-2rf8-9f28 cve-icon cve-icon
Login to claim this CVE

CVSS Vulnerability Scoring System

Detailed values of each vector for above chart.
Attack Vector
Attack Complexity
Privileges Required
User Interaction
Scope
Confidentiality Impact
Integrity Impact
Availability Impact