Skip to main content

Orca Heat Pump

1 CVEs product

Monthly

CVE-2026-25599 MEDIUM PATCH Monitor

Stored XSS in the Orca user portal is enabled by a multi-layer architectural failure in older Orca heat pump devices: device-to-server communications occur over unencrypted, unauthenticated HTTP on a non-secure port, and the server performs no input validation on the data it aggregates. An unauthenticated network attacker can impersonate a legitimate heat pump device, inject malicious JavaScript payloads into the data stream, which are then stored and rendered in the Orca user portal. When a portal user loads the affected page, the stored script executes, enabling session cookie theft and unauthorized actions within the portal. No public exploit code and no CISA KEV listing have been identified at time of analysis.

XSS Authentication Bypass Orca Heat Pump Orca User Portal
NVD
CVSS 3.1
6.3
EPSS
0.0%
EPSS 0% CVSS 6.3
MEDIUM PATCH Monitor

Stored XSS in the Orca user portal is enabled by a multi-layer architectural failure in older Orca heat pump devices: device-to-server communications occur over unencrypted, unauthenticated HTTP on a non-secure port, and the server performs no input validation on the data it aggregates. An unauthenticated network attacker can impersonate a legitimate heat pump device, inject malicious JavaScript payloads into the data stream, which are then stored and rendered in the Orca user portal. When a portal user loads the affected page, the stored script executes, enabling session cookie theft and unauthorized actions within the portal. No public exploit code and no CISA KEV listing have been identified at time of analysis.

XSS Authentication Bypass Orca Heat Pump +1
NVD

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy