VDB

CVE-2026-5439

CVE-2026-5439 PUBLISHED

A memory exhaustion vulnerability exists in ZIP archive processing. Orthanc automatically extracts ZIP archives uploaded to certain endpoints and trusts metadata fields describing the uncompressed size of archived files. An attacker can craft a small ZIP archive containing a forged size value, causing the server to allocate extremely large buffers during extraction.

EPSS 0.06% · 19.0th percentile

Risk Scores

EPSS Score
0.06%
19.0th percentile

Affected Products

VendorProductVersions
OrthancDICOM Server0

Timeline

  • Apr 9, 2026 CVE Published
  • Apr 9, 2026 PoC Published
  • Apr 9, 2026 Security Advisory
  • Apr 10, 2026 EPSS Score
  • Apr 14, 2026 CVE Updated
  • Apr 16, 2026 Security Advisory
  • May 18, 2026 EPSS Score
  • May 19, 2026 EPSS Score
  • May 20, 2026 EPSS Score
  • May 21, 2026 EPSS Score
  • May 22, 2026 EPSS Score
  • May 23, 2026 EPSS Score
Open in Interactive Console →
$ Console Community · 100/wk Open console ›