cvedb.io
CVE-2026-5439
HIGH · CVSS 7.5
EPSS exploitation probability: 0%
Published 2026-04-09T15:16:15.443 · Last modified 2026-06-17T10:59:01.640

Summary

A memory exhaustion vulnerability exists in ZIP archive processing. Orthanc automatically extracts ZIP archives uploaded to certain endpoints and trusts metadata fields describing the uncompressed size of archived files. An attacker can craft a small ZIP archive containing a forged size value, causing the server to allocate extremely large buffers during extraction.

Affected products

orthanc-server — orthanc

Does this affect you?

Add your gear to cvedb and we'll alert you only when orthanc-server ships something exploited.

Check my exposure →

References

This product uses data from the NVD API but is not endorsed or certified by the NVD. Informational only; not professional security advice.