Severity - High Date - November 10, 2025 Affecting - PacsOne Server v6.6.2 - An affected version range remains undefined CVE - CVE-2018-25124 CWE - CWE-22: Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal') CVSS - 8.7 CVSS V4 Vector - CVSS: 4.0/AV:N/AC:L/AT:N/PR: N/UI:N/VC:H/V/VA:N/VB:N/XC:N/SI:N/SA:N References - ExploitDB-43907 - PacsOne Server Product Site Credit - Carlos Avila Description - PacsOne Server version 6.6.2 (prior version are likely affected) contains a path traversal vulnerability within the web-based DICOM viewer component. Successful exploitation allows a remote unauthenticated attacker read arbitrary file via the 'nocache.php'endpoint with a crafted 'path' parameter.Exploitation evidence was observed by the Shadowserver Foundation on 2025-02-07 UTC.