Dicompass blog

Overview

This advisory addresses a known security vulnerability identified in a third-party dependency used within DPGW.

Vulnerability Details

• CVE ID: CVE-2025-7962
• Dependency Name: com.sun.mail:jakarta.mail
• Affected Version of Dependency: < 1.6.7
• Severity Score: 6.0 Medium
  (CVSS:4.0/AV:N/AC:H/AT:N/PR:L/UI:N/VC:N/VI:H/VA:N/SC:N/SI:L/SA:N)

Affected Versions of DPGW

• < 1.13.18-REL
• < 1.12.42-REL
• < 1.11.46-REL

Risk Assessment & Applicability

Usage
DPGW utilizes jakarta-mail as transitive dependency from org.apache:commons-email for sending emails.

Analysis
Vunerability is about SMTP injection and using \r\n in email header.

Status
Affected

Severity Score in the context of DPGW: 5.8 Medium CVSS:4.0/AV:N/AC:H/AT:N/PR:H/UI:P/VC:L/VI:H/VA:N/SC:N/SI:L/SA:N

Impact on DPGW

By utilizing this flaw, an attacker can:
– Spamming: Add unauthorized Bcc or Cc recipients to hide their activity.
– Phishing: Overwrite the email body to send a completely different message than the application intended.
– Header Spoofing: Change the From address to make the email appear to come from a trusted source.

Unauthorized user in DPGW has no option of setting email subject or any other email header. Also UI does not allow to enter special characters. Vulnerability might be utilized by authorized user who forge HTTP API calls using tool like curl

As there is no new version of commons-email, automatic input sanitization for email headers was added.

Remediation & Mitigations

Scheduled fix
Update to:
– 1.13.19-REL (released on 2026-04-29) or newer
– 1.12.43-REL (released on 2026-04-24) or newer

User Actions
No user action required

Overview

This advisory addresses a known security vulnerability identified in a third-party dependency used within DPGW.

Vulnerability Details

• CVE ID: CVE-2026-42198
• Dependency Name: postgresql JDBC
• Affected Version of Dependency: 42.2.0 – 42.7.10
• Severity Score: 7.5 High
  (CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H)

DPGW version with affect versions of dependencies

• <= 1.13.20-REL
• <= 1.12.45-REL

Risk Assessment & Applicability

Usage
DPGW uses postgresql JDBC driver to connect to the database.

Analysis
CVE-2026-0636
CVE-2026-42198 is a client-side Denial of Service (DoS) vulnerability in the PostgreSQL JDBC Driver (pgjdbc). It occurs during the SCRAM-SHA-256 authentication handshake.Mechanism: A malicious server can send a “server-first-message” containing an extremely high iteration count for the PBKDF2 function (e.g., millions or billions of iterations). The client will attempt to compute this hash, consuming 100% of a CPU core for an unbounded amount of time. This can freeze connection pools and hang the application.

Because DPGW does not connect to arbitrary, user-supplied, or untrusted external database URLs, a direct “malicious server” attack from the outside is impossible. An attacker cannot simply provide a URL to their own server to trigger the DoS.

Status
Not affected

Impact on DPGW

No impact when using localhost only DB connections or connecting to trusted servers.

Remediation & Mitigations

User Actions
Do not configure DPGW against untrusted PostgreSQL database servers

Overview

This advisory addresses a known security vulnerability identified in a third-party dependency used within DPGW.

Vulnerability Details

• CVE ID: CVE-2026-0636, CVE-2026-5588
• Dependency Name: org.bouncycastle:bcprov-jdk18on, org.bouncycastle:bcpkix-jdk18on
• Affected Version of Dependency: 1.74 – 1.82
• Severity Score: 6.3 Medium, 5.5 Medium
  (CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:L/VI:N/VA:N/SC:N/SI:N/SA:N/E:P/S:N/AU:Y/R:A/RE:M/U:Amber)

DPGW version with affect versions of dependencies

• < 1.13.18-REL
• < 1.12.42-REL
• < 1.11.46-REL

Risk Assessment & Applicability

Usage
DPGW utilizes Bouncy Castle as a default crypthographic provider. LDAP functionality of Bouncy Castle library is not used by DPGW.

Analysis
CVE-2026-0636
When applications use Bouncy Castle to retrieve digital certificates or CRLs (Certificate Revocation Lists) from an LDAP directory, the library constructs a search filter. In affected versions, the library fails to properly sanitize or “escape” special characters (like *, (, ), and ) before placing them into the query.

CVE-2026-5588
CompositeVerifier is designed to handle “composite signatures”—a security method that uses multiple different cryptographic algorithms simultaneously to ensure that if one is cracked (e.g., RSA), the other (e.g., ML-DSA) still protects the data.
The flaw is in how the library handles empty data: the CompositeVerifier incorrectly treats an empty signature sequence as a valid signature.

Status
Not affected

Impact on DPGW

The codebase is NOT directly affected by CVE-2026-5588 in its current state, even though it uses a vulnerable version of Bouncy Castle (1.82). Confirmed that vulnerable components like CompositeVerifier, JcaContentVerifierProviderBuilder, and CMP (Certificate Management Protocol) support are not used anywhere in the project.

No impact for CVE-2026-0636 as DPGW does not use any functionality for LDAP from the BouncyCastle library.

Remediation & Mitigations

Scheduled fix
Update to:
– 1.13.19-REL (scheduled to end of April 2026) or newer
– 1.12.43-REL (scheduled to end of April 2026) or newer

User Actions
No user action required

Overview

This advisory addresses a known security vulnerability identified in a third-party dependency used within DPGW.

Vulnerability Details

• CVE ID: CVE-2026-1605
• Dependency Name: jetty-server
• Affected Version of Dependency: 12.0.0-12.0.31, 12.1.0-12.1.5
• Severity Score: CNA 7.5 High

Affected Versions of DPGW

• 1.13.13-REL – 1.13.16-REL
• 1.12.09-REL – 1.12.39-REL
• 1.11.16-REL – 1.11.43-REL

Risk Assessment & Applicability

Usage
DPGW utilizes the Jetty as the webserver to handle all clients.

Analysis
Vulnerability is directly linked to the webserver and it does not require any kind of authorization to perform this attack. In case where webserver port(s) is reachable from the external network (internet), anybody can crash the DPGW on sending malicious HTTP request.

Status
Affected

Severity Score in the context of DPGW: 8.7 High
CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N

Impact on DPGW

If an attacker were to successfully exploit this vulnerability in the context of our software, the potential impact would be: crash of JVM leading to temporary unavailability of the service.

Remediation & Mitigations

Fix
Update to: 1.13.17-REL or newer, 1.12.40-REL or newer, 1.11.44-REL or newer.

User Actions
Users can mitigate this vulnerability by disabling gzip compression in dpgw.xml

Overview

This advisory addresses a known security vulnerability identified in a third-party dependency used within DPGW.

Vulnerability Details

• CVE ID: CVE-2026-39882
• Dependency Name: prometheus-metrics
• Affected Version of Dependency: < 4.1.132, < 4.2.10
• Severity Score: CVSS:3.1 = 5.3 Medium

Affected Versions of DPGW

• 1.13.13-REL – 1.13.17-REL

Risk Assessment & Applicability

Usage
DPGW utilizes prometheus-metrics for providing observability metrics to be scraped by Grafana Alloy.

Analysis
CVE-2026-39882

Status
Affected

Severity Score in the context of DPGW: 0.9 Low
CVSS:4.0/AV:L/AC:H/AT:P/PR:H/UI:N/VC:N/VI:N/VA:L/SC:N/SI:N/SA:N/E:P

Impact on DPGW

If an attacker were to successfully exploit this vulnerability in the context of our software, the potential impact would be: memory exhaustion when the configured collector endpoint is attacker-controlled (or a network attacker can mitm the exporter connection).
As metrics endpoint should be always accessible only from local network attacker would need to controll Grafana Alloy installed on the server. This put other requirements for the attack, therefore the risk is low.

Remediation & Mitigations

Scheduled fix
Update to: 1.13.18-REL (scheduled to middle of April 2026) or newer

User Actions
Check if /metrics endpoint is enabled only for connectors accessible by local connection only. Configuration: /dpgw/modules/module[@name='Monitoring']/parameters/@web-connectors should not contain “*” or publicly accessible connectors.

Overview

This advisory addresses a known security vulnerability identified in a third-party dependency used within DPGW.

Vulnerability Details

• CVE ID: CVE-2026-33871, CVE-2026-33870
• Dependency Name: netty-transport-4.1.130
• Affected Version of Dependency: < 4.1.132, < 4.2.10
• Severity Score: CVSS-B 8.7 HIGH, 7.5 HIGH

Affected Versions of DPGW

• <= 1.13.17-REL
• <= 1.12.41-REL
• <= 1.11.46-REL

Risk Assessment & Applicability

Usage
DPGW utilizes netty transport as transitive dependency of library for accessing Azure Blob Storage and S3 storage.

Analysis
DPGW does not acts as a server for S3 / Azure object storages and uses the vunerable library only as a client. Nor denial of Service neither request smuggling attacks can affect functionality of DPGW.

Status
Unaffected

Impact on DPGW

No impact

Remediation & Mitigations

Fix
Update to: 1.12.42-REL or newer, 1.13.18-REL or newer

User Actions
No user action required.

Overview

This advisory addresses a known security vulnerability identified in a third-party dependency used within DPGW.

Vulnerability Details

• CVE ID: CVE-2025-66168
• Dependency Name: activemq-client
• Affected Version of Dependency: <=6.1.8
• Severity Score: NIST 8.8 High, CNA 5.4 Medium

Affected Versions of DPGW

• 1.13.13-REL – 1.13.16-REL

Risk Assessment & Applicability

Usage
DPGW utilizes the ActiveMQ as a message broker for Topics and Queues.

Analysis
Activemq-client is not vulnerable by itself, vulnerability lies inside the broker. In all of our deployments broker is accessible only from the localhost, so the area of the attack possibility is very limited.

Status
Affected

Severity Score in the context of DPGW: 6.1 Medium CVSS:4.0/AV:A/AC:L/AT:N/PR:L/UI:N/VC:L/VI:L/VA:L/SC:H/SI:H/SA:L/MAV:L/MPR:H

Impact on DPGW

If an attacker were to successfully exploit this vulnerability in the context of our software, the potential impact would be: unexpected behavior of message broker which might lead to unavailability of our product.

Remediation & Mitigations

Fix
Update to 1.13.17-REL or newer.

User Actions
Users can mitigate this vulnerability by checking if they check that broker is not accessible from other then localhost loopback.

Overview

This advisory addresses a known security vulnerability identified in a third-party dependency used within DPGW.

Vulnerability Details

• CVE ID: CVE-2025-53644
• Dependency Name: dcm4che-imageio-opencv
• Affected Version of Dependency: <=5.34.2
• Severity Score: 6.6 Medium

Affected Versions of DPGW

• 1.13.13-REL – 1.13.14-REL
• <=1.12.37-REL

Risk Assessment & Applicability

Usage
DPGW utilizes the dcm4che-imageio-opencv specifically for transcoding DICOM images in compressed formats like JPEG2000, JPEG-LS, etc.

Analysis
dcm4che-imageio-opencv is not directly vunerable, vunerability is transitive as it depends on OpenCV library. Attackers can only exploit this vulnerability if they can store a malicious DICOM image in the running PACS system and if DicomImageReader.properties are set to use OpenCV to decode JPEGs.

Status
Affected

Impact on DPGW

If an attacker were to successfully exploit this vulnerability in the context of our software, the potential impact would be: temporary denial of service for users as it might cause the application to crash.

Remediation & Mitigations

Fix
Update DPGW to:
1.13.15-REL (released on 2026-02-23) or newer
1.12.38-REL (released on 2026-02-23) or newer

User Actions
Users can mitigate this vulnerability by reconfiguring conf/DicomImageReader.properties file to disable the use of OpenCV and use ImageIO instead.

Overview

This advisory addresses a known security vulnerability identified in a third-party dependency used within DPGW.

Vulnerability Details

• CVE ID: CVE-2026-1225
• Dependency Name: logback-core
• Affected Version of Dependency: <=1.5.24
• Severity Score: 1.8 Low

Affected Versions of DPGW

• 1.13.13-REL – 1.13.14-REL
• <=1.12.37-REL

Risk Assessment & Applicability

Usage
DPGW utilizes the logback specifically for writing, rotating and managing log files.

Analysis
Logback.xml in our implementation is only reachable by system administrator that already has full access to the system.
We do not support access to the logback.xml file by any other means. Permissions on the logback.xml file are set to 644.

Status
Not Affected

Remediation & Mitigations

Fix
Update to: 1.13.15-REL or newer, 1.12.38-REL or newer.

User Actions
No action required by users at this time

https://thehackernews.com/2026/02/new-chrome-zero-day-cve-2026-2441-under.html

Google on Friday released security updates for its Chrome browser to address a security flaw that it said has been exploited in the wild.
The high-severity vulnerability, tracked as CVE-2026-2441 (CVSS score: 8.8), has been described as a use-after-free bug in CSS. Security researcher Shaheen Fazim has been credited with discovering and reporting the shortcoming on February 11, 2026.
“Use after free in CSS in Google Chrome prior to 145.0.7632.75 allowed a remote attacker to execute arbitrary code inside a sandbox via a crafted HTML page,” according to a description of the flaw in the NIST’s National Vulnerability Database (NVD).
Google did not disclose any details about how the vulnerability is being exploited in the wild, by whom, or who may have been targeted, but it acknowledged that “an exploit for CVE-2026-2441 exists in the wild.”
Google did not disclose any details about how the vulnerability is being exploited in the wild, by whom, or who may have been targeted, but it acknowledged that “an exploit for CVE-2026-2441 exists in the wild.”