CVE-2026-12473

Name of the Vulnerable Software and Affected Versions OHIF (affected versions not specified)

Description The DICOMWebProxy and DICOMJSON data sources, when used with default configurations, fetch an arbitrary URL parameter without proper validation. A global authentication service within the application automatically injects the authenticated user's OIDC Bearer token into these requests, which can lead to the token being sent to an attacker-controlled server.

Recommendations At the moment, there is no information about a newer version that contains a fix for this vulnerability.