CVE-2026-32711

Published: Mar 20, 2026

Modified: Mar 20, 2026

PUBLISHED

CVSS v3.1

7.8

HIGH

Description

pydicom is a pure Python package for working with DICOM files. Versions 2.0.0-rc.1 through 3.0.1 are vulnerable to Path Traversal through a maliciously crafted DICOMDIR ReferencedFileID when it is set to a path outside the File-set root. pydicom resolves the path only to confirm that it exists, but does not verify that the resolved path remains under the File-set root. Subsequent public FileSet operations such as copy(), write(), and remove()+write(use_existing=True) use that unchecked path in file I/O operations. This allows arbitrary file read/copy and, in some flows, move/delete outside the File-set root. This issue has been fixed in version 3.0.2.

Vendor	Product	Versions
pydicom	pydicom	affected `>= 2.0.0-rc.1, < 3.0.2`

Weaknesses (CWE)

CWE-22

CVSS v3.1 Details

CVSS v3.1 Vector

CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H

Attack Vector

Local

Attack Complexity

Low

Privileges Required

None

User Interaction

Required

Scope

Unchanged

Confidentiality

High

Integrity

High

Availability

High

References

https://github.com/pydicom/pydicom/security/advisories/GHSA-v856-2rf8-9f28

x_refsource_CONFIRM

https://github.com/pydicom/pydicom/commit/6414f01a053dff925578799f5a7208d2ae585e82

x_refsource_MISC

https://github.com/pydicom/pydicom/releases/tag/v3.0.2

x_refsource_MISC

Security Training

Train your team to recognize and prevent security threats with our comprehensive security awareness program.

Start Training

Vulnerability Scanning

Discover vulnerabilities in your applications and infrastructure before attackers do.

Scan Now

CVE-2026-32711

Description

Affected Products

Weaknesses (CWE)

CVSS v3.1 Details

References