Skip to main content

Orthanc Explorer 2 CVE-2026-10173

| EUVD-2026-33493 LOW
Cross-site Scripting (XSS) (CWE-79)
2026-05-31 VulDB GHSA-r68q-jr9v-43rv
XSS Explorer 2
2.1
CVSS 4.0 · NVD

Severity by source

NVD PRIMARY
2.1 LOW
CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:P/VC:N/VI:L/VA:N/SC:N/SI:N/SA:N/E:P/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X

Primary rating from NVD · only source for this CVE.

CVSS VectorNVD

CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:P/VC:N/VI:L/VA:N/SC:N/SI:N/SA:N/E:P/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
Attack Vector
Network
Attack Complexity
Low
Privileges Required
None
User Interaction
P
Scope
X

Lifecycle Timeline

4
Severity Changed
May 31, 2026 - 08:22 NVD
MEDIUM LOW
CVSS changed
May 31, 2026 - 08:22 NVD
4.3 (MEDIUM) 2.1 (LOW)
Source Code Evidence Fetched
May 31, 2026 - 08:15 vuln.today
Analysis Generated
May 31, 2026 - 08:15 vuln.today

DescriptionCVE.org

A weakness has been identified in Orthanc Explorer 2 up to 1.12.0. The impacted element is an unknown function of the file WebApplication/src/components/StudyList.vue of the component URL Handler. This manipulation of the argument remote-source causes cross site scripting. It is possible to initiate the attack remotely. The exploit has been made available to the public and could be used for attacks. Patch name: 21f78ce5da668bf5233efcd1896ec7c6e3b22eae. Applying a patch is the recommended action to fix this issue.

AnalysisAI

Cross-site scripting in Orthanc Explorer 2 versions up to and including 1.12.0 enables remote attackers to inject arbitrary JavaScript into the browser sessions of users who load a crafted URL, via the unsanitized remote-source query parameter processed by the StudyList.vue URL Handler. The CVSS 4.3 rating (AV:N/AC:L/PR:N/UI:R/S:U) reflects that no authentication is required of the attacker but victim interaction with a malicious link is necessary - a classic reflected XSS profile. …

Unlock full vulnerability intelligence

  • Risk assessment & exploitation conditions
  • Attack chain visualization
  • Remediation with exact patch versions
  • Threat intelligence from 22 sources
  • Personal watchlist & email alerts
Continue with Google Continue with GitHub

Free forever · No credit card required

Attack ChainAIDerived

Hypothetical attack flow derived from CVE metadata

Access
Craft malicious URL embedding JavaScript in `remote-source` parameter
Delivery
Deliver URL to target user via phishing or embedded link
Exploit
Victim clicks link and browser requests crafted StudyList URL
Execution
Vue.js StudyList.vue renders unsanitized `remote-source` value into DOM
Persist
Injected script executes in victim's browser session
Impact
Session token theft or malicious action performed within victim's Orthanc context
Sign in to reveal

Vulnerability AssessmentAI

Exploitation Exploitation requires that a victim user load a specially crafted URL containing a malicious value in the `remote-source` query parameter against the Orthanc Explorer 2 StudyList view (AV:N/AC:L per CVSS). … Additional conditions and limiting factors are described in the full assessment.
Risk Assessment The CVSS 3.1 base score of 4.3 appropriately reflects moderate severity: network-reachable (AV:N), low complexity (AC:L), no attacker authentication required (PR:N), but requiring victim interaction (UI:R), with only low integrity impact and no confidentiality or availability impact (C:N/I:L/A:N). … Full risk analysis with EPSS, KEV, and SSVC signal comparison available after sign-in.
Exploit Scenario An attacker crafts a URL targeting a publicly reachable Orthanc Explorer 2 deployment that embeds a JavaScript payload in the `remote-source` parameter of the StudyList view, then delivers this link to a radiologist or PACS administrator via phishing email or a malicious redirect. When the victim loads the URL, the unsanitized parameter value is rendered into the Vue.js StudyList component, executing the attacker's script within the victim's authenticated browser session. …
Remediation Apply patch commit 21f78ce5da668bf5233efcd1896ec7c6e3b22eae, which upgrades vue-i18n from ^9.14.5 to ^11.0.1 and updates associated build toolchain packages; however, this commit originates from a third-party fork (rafaelsouzars/orthanc-explorer-2) rather than the canonical orthanc-server/orthanc-explorer-2 repository, and no officially tagged patched release version has been independently confirmed - administrators should verify fix availability and official release status against https://github.com/orthanc-server/orthanc-explorer-2/issues/108 before deploying. … Detailed patch versions, workarounds, and compensating controls in full report.
Sign in to read full assessment

Threat intelligence, references, and detailed analysis are available after sign-in.

Share

CVE-2026-10173 vulnerability details – vuln.today
Back

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy