CVE-2026-10173

Summary

A weakness has been identified in Orthanc Explorer 2 up to 1.12.0. The impacted element is an unknown function of the file WebApplication/src/components/StudyList.vue of the component URL Handler. This manipulation of the argument remote-source causes cross site scripting. It is possible to initiate the attack remotely. The exploit has been made available to the public and could be used for attacks. Patch name: 21f78ce5da668bf5233efcd1896ec7c6e3b22eae. Applying a patch is the recommended action to fix this issue.

Affected Software

VendorProductVersion RangeStatus
OrthancExplorer 21.0affected
OrthancExplorer 21.1affected
OrthancExplorer 21.2affected
OrthancExplorer 21.3affected
OrthancExplorer 21.4affected
OrthancExplorer 21.5affected
OrthancExplorer 21.6affected
OrthancExplorer 21.7affected
OrthancExplorer 21.8affected
OrthancExplorer 21.9affected
OrthancExplorer 21.10affected
OrthancExplorer 21.11affected
OrthancExplorer 21.12.0affected

Weaknesses

  • CWE-79: Cross Site Scripting
  • CWE-94: Code Injection

ADP Enrichment

CISA ADP Vulnrichment

  • SSVC:
  • Exploitation: poc
    • Automatable: yes
    • Technical Impact: partial

References