CVE-2026-32711

HIGH 7.8

pydicom: Path traversal in FileSet/DICOMDIR ReferencedFileID allows file access outside the File-set root

CVSS Score

7.8

EPSS Score

0.0%

EPSS Percentile

3th

pydicom is a pure Python package for working with DICOM files. Versions 2.0.0-rc.1 through 3.0.1 are vulnerable to Path Traversal through a maliciously crafted DICOMDIR ReferencedFileID when it is set to a path outside the File-set root. pydicom resolves the path only to confirm that it exists, but does not verify that the resolved path remains under the File-set root. Subsequent public FileSet operations such as copy(), write(), and remove()+write(use_existing=True) use that unchecked path in file I/O operations. This allows arbitrary file read/copy and, in some flows, move/delete outside the File-set root. This issue has been fixed in version 3.0.2.

CWE	CWE-22
Vendor	pydicom
Product	pydicom
Published	Mar 20, 2026
Last Updated	Mar 20, 2026

Stay Ahead of the Next One

Get instant alerts for pydicom pydicom

Be the first to know when new high vulnerabilities affecting pydicom pydicom are published — delivered to Slack, Telegram or Discord.

Get Free Alerts → Free · No credit card · 60 sec setup

CVSS v3 Breakdown

CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H

Attack Vector

Local

Attack Complexity

Low

Privileges Required

None

User Interaction

Required

Scope

Unchanged

Confidentiality

High

Integrity

High

Availability

High

Affected Versions

pydicom / pydicom

>= 2.0.0-rc.1, < 3.0.2

References

NVD ↗ CVE.org ↗ EPSS Data ↗

github.com: https://github.com/pydicom/pydicom/security/advisories/GHSA-v856-2rf8-9f28 github.com: https://github.com/pydicom/pydicom/commit/6414f01a053dff925578799f5a7208d2ae585e82 github.com: https://github.com/pydicom/pydicom/releases/tag/v3.0.2