Description
A weakness has been identified in Orthanc Explorer 2 up to 1.12.0. The impacted element is an unknown function of the file WebApplication/src/components/StudyList.vue of the component URL Handler. This manipulation of the argument remote-source causes cross site scripting. It is possible to initiate the attack remotely. The exploit has been made available to the public and could be used for attacks. Patch name: 21f78ce5da668bf5233efcd1896ec7c6e3b22eae. Applying a patch is the recommended action to fix this issue.
Published: 2026-05-31
Score: 5.3 Medium
EPSS: < 1% Very Low
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

A cross‑site scripting flaw exists in Orthanc Explorer 2 up to version 1.12.0, triggered by manipulating the remote‑source argument in the StudyList.vue component. Leveraging this vulnerability an attacker can inject malicious scripts that execute within the victim’s browser in the context of the application, potentially stealing session data, defacing the interface, or performing actions as the authenticated user. The attack can be launched remotely without any authentication.

Affected Systems

Orthanc:Explorer 2 versions prior to and including 1.12.0 are affected. The flaw resides in the WebApplication/src/components/StudyList.vue file of the URL Handler component of this product.

Risk and Exploitability

The CVSS score of 5.3 indicates a moderate severity. The EPSS score is not available, and the vulnerability is not listed in CISA KEV. An exploit is publicly available, and because the vulnerable parameter is reachable via unmanaged web requests, the flaw can be abused from anywhere on the internet with no special pre‑conditions. The relative risk is moderate, but the potential for user credential theft or session hijacking makes the flaw a priority for remediation.

Generated by OpenCVE AI on May 31, 2026 at 09:20 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Update Orthanc Explorer 2 to the patched version identified by commit 21f78ce5da668bf5233efcd1896ec7c6e3b22eae or later.
  • If an immediate update cannot be applied, modify the application configuration to whitelist or disable the remote‑source parameter to block manipulated input.
  • Implement a web application firewall or enforce a strict content‑security‑policy header that blocks inline scripting to reduce the impact of any remaining XSS vectors.

Generated by OpenCVE AI on May 31, 2026 at 09:20 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Sun, 31 May 2026 08:00:00 +0000

Type Values Removed Values Added
Description A weakness has been identified in Orthanc Explorer 2 up to 1.12.0. The impacted element is an unknown function of the file WebApplication/src/components/StudyList.vue of the component URL Handler. This manipulation of the argument remote-source causes cross site scripting. It is possible to initiate the attack remotely. The exploit has been made available to the public and could be used for attacks. Patch name: 21f78ce5da668bf5233efcd1896ec7c6e3b22eae. Applying a patch is the recommended action to fix this issue.
Title Orthanc Explorer 2 URL StudyList.vue cross site scripting
First Time appeared Orthanc
Orthanc explorer 2
Weaknesses CWE-79
CWE-94
CPEs cpe:2.3:a:orthanc:explorer_2:*:*:*:*:*:*:*:*
Vendors & Products Orthanc
Orthanc explorer 2
References
Metrics cvssV2_0

{'score': 5, 'vector': 'AV:N/AC:L/Au:N/C:N/I:P/A:N/E:POC/RL:OF/RC:C'}

cvssV3_0

{'score': 4.3, 'vector': 'CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:L/A:N/E:P/RL:O/RC:C'}

cvssV3_1

{'score': 4.3, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:L/A:N/E:P/RL:O/RC:C'}

cvssV4_0

{'score': 5.3, 'vector': 'CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:P/VC:N/VI:L/VA:N/SC:N/SI:N/SA:N/E:P'}

Subscriptions

Orthanc Explorer 2
cve-icon MITRE

Status: PUBLISHED

Assigner: VulDB

Published:

Updated: 2026-05-31T07:00:12.012Z

Reserved: 2026-05-30T11:08:33.360Z

Link: CVE-2026-10173

cve-icon Vulnrichment

No data.

cve-icon NVD

Status : Received

Published: 2026-05-31T08:16:17.703

Modified: 2026-05-31T08:16:17.703

Link: CVE-2026-10173

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-05-31T09:30:06Z

Weaknesses