{"dataType": "CVE_RECORD", "dataVersion": "5.2", "cveMetadata": {"cveId": "CVE-2025-15581", "assignerOrgId": "ab69c47f-b95e-4bf2-b2d9-4b1fd1b24b4a", "state": "PUBLISHED", "assignerShortName": "PRJBLK", "dateReserved": "2026-02-18T03:40:45.397Z", "datePublished": "2026-02-18T22:59:55.491Z", "dateUpdated": "2026-02-19T16:39:35.695Z"}, "containers": {"cna": {"affected": [{"defaultStatus": "unaffected", "product": "orthanc", "vendor": "orthanc-server", "versions": [{"lessThanOrEqual": "1.12.9", "status": "affected", "version": "0", "versionType": "custom"}]}], "descriptions": [{"lang": "en", "supportingMedia": [{"base64": false, "type": "text/html", "value": "Orthanc versions before 1.12.10 are affected by an authorisation logic flaw in the application's HTTP Basic Authentication implementation. \n\nSuccessful exploitation could result in Privilege Escalation, potentially allowing full administrative access."}], "value": "Orthanc versions before 1.12.10 are affected by an authorisation logic flaw in the application's\u00a0HTTP Basic Authentication implementation. \n\nSuccessful exploitation could result in Privilege Escalation, potentially allowing full administrative access."}], "impacts": [{"capecId": "CAPEC-233", "descriptions": [{"lang": "en", "value": "CAPEC-233 Privilege Escalation"}]}], "metrics": [{"cvssV4_0": {"Automatable": "NOT_DEFINED", "Recovery": "NOT_DEFINED", "Safety": "NOT_DEFINED", "attackComplexity": "LOW", "attackRequirements": "PRESENT", "attackVector": "NETWORK", "baseScore": 4.7, "baseSeverity": "MEDIUM", "exploitMaturity": "PROOF_OF_CONCEPT", "privilegesRequired": "LOW", "providerUrgency": "NOT_DEFINED", "subAvailabilityImpact": "NONE", "subConfidentialityImpact": "NONE", "subIntegrityImpact": "NONE", "userInteraction": "ACTIVE", "valueDensity": "NOT_DEFINED", "vectorString": "CVSS:4.0/AV:N/AC:L/AT:P/PR:L/UI:A/VC:H/VI:N/VA:N/SC:N/SI:N/SA:N/E:P", "version": "4.0", "vulnAvailabilityImpact": "NONE", "vulnConfidentialityImpact": "HIGH", "vulnIntegrityImpact": "NONE", "vulnerabilityResponseEffort": "NOT_DEFINED"}, "format": "CVSS", "scenarios": [{"lang": "en", "value": "GENERAL"}]}], "problemTypes": [{"descriptions": [{"cweId": "CWE-287", "description": "CWE-287 Improper Authentication", "lang": "en", "type": "CWE"}]}], "providerMetadata": {"orgId": "ab69c47f-b95e-4bf2-b2d9-4b1fd1b24b4a", "shortName": "PRJBLK", "dateUpdated": "2026-02-18T23:03:54.596Z"}, "references": [{"url": "https://projectblack.io/blog/orthanc-1-12-9-user-impersonation/#exploitation"}, {"url": "https://discourse.orthanc-server.org/t/orthanc-1-12-10/6326"}, {"url": "https://orthanc.uclouvain.be/bugs/show_bug.cgi?id=252"}], "source": {"discovery": "UNKNOWN"}, "x_generator": {"engine": "Vulnogram 0.5.0"}}, "adp": [{"metrics": [{"other": {"type": "ssvc", "content": {"timestamp": "2026-02-19T16:35:50.372200Z", "id": "CVE-2025-15581", "options": [{"Exploitation": "none"}, {"Automatable": "yes"}, {"Technical Impact": "total"}], "role": "CISA Coordinator", "version": "2.0.3"}}}], "title": "CISA ADP Vulnrichment", "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2026-02-19T16:39:35.695Z"}}]}}

{"dataType": "CVE_RECORD", "containers": {"cna": {"source": {"discovery": "UNKNOWN"}, "impacts": [{"capecId": "CAPEC-233", "descriptions": [{"lang": "en", "value": "CAPEC-233 Privilege Escalation"}]}], "metrics": [{"format": "CVSS", "cvssV4_0": {"Safety": "NOT_DEFINED", "version": "4.0", "Recovery": "NOT_DEFINED", "baseScore": 4.7, "Automatable": "NOT_DEFINED", "attackVector": "NETWORK", "baseSeverity": "MEDIUM", "valueDensity": "NOT_DEFINED", "vectorString": "CVSS:4.0/AV:N/AC:L/AT:P/PR:L/UI:A/VC:H/VI:N/VA:N/SC:N/SI:N/SA:N/E:P", "exploitMaturity": "PROOF_OF_CONCEPT", "providerUrgency": "NOT_DEFINED", "userInteraction": "ACTIVE", "attackComplexity": "LOW", "attackRequirements": "PRESENT", "privilegesRequired": "LOW", "subIntegrityImpact": "NONE", "vulnIntegrityImpact": "NONE", "subAvailabilityImpact": "NONE", "vulnAvailabilityImpact": "NONE", "subConfidentialityImpact": "NONE", "vulnConfidentialityImpact": "HIGH", "vulnerabilityResponseEffort": "NOT_DEFINED"}, "scenarios": [{"lang": "en", "value": "GENERAL"}]}], "affected": [{"vendor": "orthanc-server", "product": "orthanc", "versions": [{"status": "affected", "version": "0", "versionType": "custom", "lessThanOrEqual": "1.12.9"}], "defaultStatus": "unaffected"}], "references": [{"url": "https://projectblack.io/blog/orthanc-1-12-9-user-impersonation/#exploitation"}, {"url": "https://discourse.orthanc-server.org/t/orthanc-1-12-10/6326"}, {"url": "https://orthanc.uclouvain.be/bugs/show_bug.cgi?id=252"}], "x_generator": {"engine": "Vulnogram 0.5.0"}, "descriptions": [{"lang": "en", "value": "Orthanc versions before 1.12.10 are affected by an authorisation logic flaw in the application's\u00a0HTTP Basic Authentication implementation. \n\nSuccessful exploitation could result in Privilege Escalation, potentially allowing full administrative access.", "supportingMedia": [{"type": "text/html", "value": "Orthanc versions before 1.12.10 are affected by an authorisation logic flaw in the application's HTTP Basic Authentication implementation. \n\nSuccessful exploitation could result in Privilege Escalation, potentially allowing full administrative access.", "base64": false}]}], "problemTypes": [{"descriptions": [{"lang": "en", "type": "CWE", "cweId": "CWE-287", "description": "CWE-287 Improper Authentication"}]}], "providerMetadata": {"orgId": "ab69c47f-b95e-4bf2-b2d9-4b1fd1b24b4a", "shortName": "PRJBLK", "dateUpdated": "2026-02-18T23:03:54.596Z"}}, "adp": [{"title": "CISA ADP Vulnrichment", "metrics": [{"other": {"type": "ssvc", "content": {"id": "CVE-2025-15581", "role": "CISA Coordinator", "options": [{"Exploitation": "none"}, {"Automatable": "yes"}, {"Technical Impact": "total"}], "version": "2.0.3", "timestamp": "2026-02-19T16:35:50.372200Z"}}}], "providerMetadata": {"shortName": "CISA-ADP", "orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "dateUpdated": "2026-02-19T16:39:28.960Z"}}]}, "cveMetadata": {"cveId": "CVE-2025-15581", "state": "PUBLISHED", "dateUpdated": "2026-02-18T23:03:54.596Z", "dateReserved": "2026-02-18T03:40:45.397Z", "assignerOrgId": "ab69c47f-b95e-4bf2-b2d9-4b1fd1b24b4a", "datePublished": "2026-02-18T22:59:55.491Z", "assignerShortName": "PRJBLK"}, "dataVersion": "5.2"}

{"cveTags": [], "descriptions": [{"lang": "en", "value": "Orthanc versions before 1.12.10 are affected by an authorisation logic flaw in the application's\u00a0HTTP Basic Authentication implementation. \n\nSuccessful exploitation could result in Privilege Escalation, potentially allowing full administrative access."}], "id": "CVE-2025-15581", "lastModified": "2026-02-19T15:53:02.850", "metrics": {"cvssMetricV40": [{"cvssData": {"Automatable": "NOT_DEFINED", "Recovery": "NOT_DEFINED", "Safety": "NOT_DEFINED", "attackComplexity": "LOW", "attackRequirements": "PRESENT", "attackVector": "NETWORK", "availabilityRequirement": "NOT_DEFINED", "baseScore": 4.7, "baseSeverity": "MEDIUM", "confidentialityRequirement": "NOT_DEFINED", "exploitMaturity": "PROOF_OF_CONCEPT", "integrityRequirement": "NOT_DEFINED", "modifiedAttackComplexity": "NOT_DEFINED", "modifiedAttackRequirements": "NOT_DEFINED", "modifiedAttackVector": "NOT_DEFINED", "modifiedPrivilegesRequired": "NOT_DEFINED", "modifiedSubAvailabilityImpact": "NOT_DEFINED", "modifiedSubConfidentialityImpact": "NOT_DEFINED", "modifiedSubIntegrityImpact": "NOT_DEFINED", "modifiedUserInteraction": "NOT_DEFINED", "modifiedVulnAvailabilityImpact": "NOT_DEFINED", "modifiedVulnConfidentialityImpact": "NOT_DEFINED", "modifiedVulnIntegrityImpact": "NOT_DEFINED", "privilegesRequired": "LOW", "providerUrgency": "NOT_DEFINED", "subAvailabilityImpact": "NONE", "subConfidentialityImpact": "NONE", "subIntegrityImpact": "NONE", "userInteraction": "ACTIVE", "valueDensity": "NOT_DEFINED", "vectorString": "CVSS:4.0/AV:N/AC:L/AT:P/PR:L/UI:A/VC:H/VI:N/VA:N/SC:N/SI:N/SA:N/E:P/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X", "version": "4.0", "vulnAvailabilityImpact": "NONE", "vulnConfidentialityImpact": "HIGH", "vulnIntegrityImpact": "NONE", "vulnerabilityResponseEffort": "NOT_DEFINED"}, "source": "ab69c47f-b95e-4bf2-b2d9-4b1fd1b24b4a", "type": "Secondary"}]}, "published": "2026-02-18T23:16:18.907", "references": [{"source": "ab69c47f-b95e-4bf2-b2d9-4b1fd1b24b4a", "url": "https://discourse.orthanc-server.org/t/orthanc-1-12-10/6326"}, {"source": "ab69c47f-b95e-4bf2-b2d9-4b1fd1b24b4a", "url": "https://orthanc.uclouvain.be/bugs/show_bug.cgi?id=252"}, {"source": "ab69c47f-b95e-4bf2-b2d9-4b1fd1b24b4a", "url": "https://projectblack.io/blog/orthanc-1-12-9-user-impersonation/#exploitation"}], "sourceIdentifier": "ab69c47f-b95e-4bf2-b2d9-4b1fd1b24b4a", "vulnStatus": "Awaiting Analysis", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-287"}], "source": "ab69c47f-b95e-4bf2-b2d9-4b1fd1b24b4a", "type": "Secondary"}]}

{}

{"created": "2026-02-19T10:08:04.564030+00:00", "updated": "2026-02-19T10:08:04.564140+00:00", "vendors": ["orthanc-server", "orthanc-server$PRODUCT$orthanc"]}