Category: Security

Security

CVE-2025-66168

Overview

This advisory addresses a known security vulnerability identified in a third-party dependency used within DPGW.

Vulnerability Details

  • CVE ID: CVE-2025-66168
  • Dependency Name: activemq-client
  • Affected Version of Dependency: <=6.1.8
  • Severity Score: NIST 8.8 High, CNA 5.4 Medium

Affected Versions of DPGW

  • 1.13.13-REL – 1.13.16-REL

Risk Assessment & Applicability

Usage
DPGW utilizes the ActiveMQ as a message broker for Topics and Queues.

Analysis
Activemq-client is not vulnerable by itself, vulnerability lies inside the broker. In all of our deployments broker is accessible only from the localhost, so the area of the attack possibility is very limited.

Status
Affected

Severity Score in the context of DPGW: 6.1 Medium CVSS:4.0/AV:A/AC:L/AT:N/PR:L/UI:N/VC:L/VI:L/VA:L/SC:H/SI:H/SA:L/MAV:L/MPR:H

Impact on DPGW

If an attacker were to successfully exploit this vulnerability in the context of our software, the potential impact would be: unexpected behavior of message broker which might lead to unavailability of our product.

Remediation & Mitigations

Scheduled fix
We scheduled release of the version 1.13.17-REL which should address this issue. Release will be at the half of March 2026.

User Actions
Users can mitigate this vulnerability by checking if they check that broker is not accessible from other then localhost loopback.

Security

CVE-2025-53644

Overview

This advisory addresses a known security vulnerability identified in a third-party dependency used within DPGW.

Vulnerability Details

  • CVE ID: CVE-2025-53644
  • Dependency Name: dcm4che-imageio-opencv
  • Affected Version of Dependency: <=5.34.2
  • Severity Score: 6.6 Medium

Affected Versions of DPGW

  • 1.13.13-REL – 1.13.14-REL
  • <=1.12.37-REL

Risk Assessment & Applicability

Usage
DPGW utilizes the dcm4che-imageio-opencv specifically for transcoding DICOM images in compressed formats like JPEG2000, JPEG-LS, etc.

Analysis
dcm4che-imageio-opencv is not directly vunerable, vunerability is transitive as it depends on OpenCV library. Attackers can only exploit this vulnerability if they can store a malicious DICOM image in the running PACS system and if DicomImageReader.properties are set to use OpenCV to decode JPEGs.

Status
Affected

Impact on DPGW

If an attacker were to successfully exploit this vulnerability in the context of our software, the potential impact would be: temporary denial of service for users as it might cause the application to crash.

Remediation & Mitigations

Fix
Update DPGW to:
1.13.15-REL (released on 2026-02-23) or newer
1.12.38-REL (released on 2026-02-23) or newer

User Actions
Users can mitigate this vulnerability by reconfiguring conf/DicomImageReader.properties file to disable the use of OpenCV and use ImageIO instead.

Security

CVE-2026-1225

Overview

This advisory addresses a known security vulnerability identified in a third-party dependency used within DPGW.

Vulnerability Details

  • CVE ID: CVE-2026-1225
  • Dependency Name: logback-core
  • Affected Version of Dependency: <=1.5.24
  • Severity Score: 1.8 Low

Affected Versions of DPGW

  • 1.13.13-REL – 1.13.14-REL
  • <=1.12.37-REL

Risk Assessment & Applicability

Usage
DPGW utilizes the logback specifically for writing, rotating and managing log files.

Analysis
Logback.xml in our implementation is only reachable by system administrator that already has full access to the system.
We do not support access to the logback.xml file by any other means. Permissions on the logback.xml file are set to 644.

Status
Not Affected

Remediation & Mitigations

Planned Fix
We are scheduled to update this dependency in the 1.13.15-REL and 1.12.38-REL.

User Actions
No action required by users at this time

Security

CVE-2026-2441

https://thehackernews.com/2026/02/new-chrome-zero-day-cve-2026-2441-under.html

Google on Friday released security updates for its Chrome browser to address a security flaw that it said has been exploited in the wild.
The high-severity vulnerability, tracked as CVE-2026-2441 (CVSS score: 8.8), has been described as a use-after-free bug in CSS. Security researcher Shaheen Fazim has been credited with discovering and reporting the shortcoming on February 11, 2026.
“Use after free in CSS in Google Chrome prior to 145.0.7632.75 allowed a remote attacker to execute arbitrary code inside a sandbox via a crafted HTML page,” according to a description of the flaw in the NIST’s National Vulnerability Database (NVD).
Google did not disclose any details about how the vulnerability is being exploited in the wild, by whom, or who may have been targeted, but it acknowledged that “an exploit for CVE-2026-2441 exists in the wild.”
Google did not disclose any details about how the vulnerability is being exploited in the wild, by whom, or who may have been targeted, but it acknowledged that “an exploit for CVE-2026-2441 exists in the wild.”

Security

Dicompass does not demonstrate vulnerability CVE-2021-44228 (Log4Shell)

On December 10, the National Cyber and Information Security Agency issued a critical warning about vulnerability CVE-2021-44228, also known as Log4Shell. On the same day, our team of developers began analyzing the vulnerability.

The result of the analysis is that the DPGW system does not demonstrate Log4Shell vulnerability.

DPGW uses Logback and SLF4J as the logging backend. Log4j itself is not used by DPGW or any of its dependencies (for libraries that use log4j, log4j-over-slf4j is used and it does not contain vulnerability).

We ensure the security of the system by making following steps: