MEDIUM 4.3

CVE-2026-10173: Cross-Site Scripting in Orthanc Explorer 2 – Patch Guidance & Detection

Orthanc Explorer 2 versions up to 1.12.0 contain a reflected cross-site scripting (XSS) vulnerability in the StudyList component. An attacker can craft a malicious URL with a specially crafted 'remote-source' parameter that, when visited by a user, executes arbitrary JavaScript in their browser within the context of the Orthanc application. This allows theft of session tokens, modification of data, or unauthorized actions performed on behalf of the victim. The vulnerability requires user interaction—a victim must click a malicious link—but can be exploited remotely without authentication.

Source data · NVD / CISA · public domain

CVSS
3.1 · 4.3 MEDIUM · CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:L/A:N
Weaknesses (CWE)
CWE-79, CWE-94
Affected products
0 configuration(s)
Published / Modified
2026-05-31 / 2026-06-17

NVD description (verbatim)

A weakness has been identified in Orthanc Explorer 2 up to 1.12.0. The impacted element is an unknown function of the file WebApplication/src/components/StudyList.vue of the component URL Handler. This manipulation of the argument remote-source causes cross site scripting. It is possible to initiate the attack remotely. The exploit has been made available to the public and could be used for attacks. Patch name: 21f78ce5da668bf5233efcd1896ec7c6e3b22eae. Applying a patch is the recommended action to fix this issue.

6 reference(s) · View on NVD →

SEC.co analysis · AI-assisted, reviewed against source

Technical summary

The vulnerability exists in the URL handler logic of WebApplication/src/components/StudyList.vue, where the 'remote-source' parameter is processed without adequate input validation or output encoding. The component fails to sanitize user-supplied input before rendering it into the DOM, permitting injection of arbitrary HTML and JavaScript. The attack vector is network-based, requires no special privileges, and has a low attack complexity. User interaction is necessary to trigger the payload execution. The underlying weakness is classified under CWE-79 (Improper Neutralization of Input During Web Page Generation) and CWE-94 (Improper Control of Generation of Code), indicating both DOM-based XSS and potential code injection concerns.

Business impact

This vulnerability poses a moderate but actionable risk to organizations deploying Orthanc Explorer 2 for medical imaging. Successful exploitation could result in unauthorized access to patient imaging data, modification of diagnostic records, or redirection of users to phishing sites. In a healthcare context, data tampering carries regulatory implications under HIPAA and similar frameworks. The public availability of exploit code lowers the barrier to malicious use, though the requirement for user interaction limits large-scale automated attacks. Organizations should prioritize patching to prevent targeted social engineering campaigns against their staff.

Affected systems

Orthanc Explorer 2 versions up to and including 1.12.0 are affected. Organizations running this component should immediately verify their deployed version. Orthanc is commonly used in medical imaging workflows, particularly in radiology and clinical research environments. The vulnerability impacts any deployment where users access the StudyList view through a web browser.

Exploitability

Exploitability is moderate. While the vulnerability requires user interaction and no authentication bypass, the public availability of exploit code and the simplicity of crafting malicious URLs lower the technical barrier. Attackers could distribute links via email, messaging platforms, or compromised websites targeting healthcare staff. The CVSS score of 4.3 reflects the network attack vector and low complexity, tempered by the requirement for user action and limited impact scope (integrity only, no confidentiality or availability loss from the XSS alone).

Remediation

Apply the patch immediately. The recommended fix is commit 21f78ce5da668bf5233efcd1896ec7c6e3b22eae, which addresses input validation and output encoding in the StudyList component. Verify patch applicability by consulting the official Orthanc project repository and release notes. Organizations unable to patch immediately should implement compensating controls, such as restricting StudyList access to internal networks, enforcing strict Content Security Policy (CSP) headers, and educating users to avoid clicking suspicious links.

Patch guidance

Upgrade Orthanc Explorer 2 to the version containing commit 21f78ce5da668bf5233efcd1896ec7c6e3b22eae or later. Consult the official Orthanc project repository for the corresponding release version number and apply through your standard change management process. Test the patch in a non-production environment before rolling out to production imaging systems. Verify that diagnostic workflows and integrations continue to function correctly after patching.

Detection guidance

Monitor web server logs and browser security event logs for anomalous URL parameters, particularly those containing JavaScript-like syntax in the 'remote-source' parameter. Implement network-based detection rules to flag URLs with suspicious encoding patterns or script-like payloads. Review Content Security Policy violation reports to detect attempted XSS injections. Endpoint detection and response (EDR) tools can monitor for unusual JavaScript execution within the Orthanc application context. User education on phishing and malicious link identification is also valuable, as the attack relies on social engineering.

Why prioritize this

Although the CVSS score is moderate (4.3), this vulnerability warrants near-term prioritization because: (1) public exploit code is available, increasing real-world attack likelihood; (2) Orthanc is deployed in regulated healthcare environments with strict data protection obligations; (3) the attack targets a commonly used interface (StudyList), increasing exposure; and (4) a straightforward patch exists. Healthcare organizations should treat this as a high-priority item within their vulnerability management queue.

Risk score, explained

The CVSS 3.1 score of 4.3 (MEDIUM severity) reflects: network accessibility without authentication (AV:N, PR:N), low attack complexity (AC:L), requirement for user interaction (UI:R), and limited impact scope (integrity only, no confidentiality or availability impact from the XSS itself, S:U). The score appropriately captures the moderate threat posed by a publicly exploitable but user-interaction-dependent XSS. In healthcare contexts, organizations may raise internal risk ratings based on data sensitivity and regulatory requirements.

Frequently asked questions

Can an attacker exploit this without the victim clicking a link?

No. The vulnerability requires user interaction—specifically, a victim must visit a URL containing the malicious payload. This typically occurs through social engineering, phishing emails, or compromised websites. Passive network exposure does not trigger the vulnerability.

What data or actions could an attacker access or perform?

A successful XSS attack could allow the attacker to steal session cookies or tokens, read sensitive imaging data displayed in the browser, modify diagnostic records or imaging metadata, or redirect the user to phishing sites. The scope depends on the victim's privileges within the Orthanc application.

Is there a public exploit available?

Yes, public exploit code is available. This significantly lowers the barrier to attack, enabling both opportunistic attackers and targeted campaigns. Organizations should prioritize patching accordingly.

Do I need to patch immediately, or can I wait for the next maintenance window?

Given the availability of public exploits and the moderate risk score, patching should occur within 1–2 weeks or sooner if your organization faces targeted threat intelligence. Healthcare organizations operating in regulated environments should prioritize this within their urgent-patch tier.

This analysis is based on publicly available information as of the publication date and is provided for informational purposes. Organizations should verify all patch version numbers, compatibility notes, and deployment guidance against the official Orthanc project repository and their vendor advisories. This document does not constitute legal or compliance advice. Healthcare organizations should assess this vulnerability within the context of their specific regulatory obligations (HIPAA, etc.) and risk management frameworks. Testing patches in non-production environments before production deployment is strongly recommended. Source: NVD (public-domain), retrieved 2026-07-07. Analysis generated by SEC.co (claude-haiku-4-5).