A stored Cross‑Site Scripting vulnerability exists in the session page of OrcaStatLLM‑Researcher. Malicious researchers can embed arbitrary JavaScript into the log message field by providing a specially crafted research topic input. When a victim renders the session page, the injected script executes in the victim’s browser, potentially exfiltrating sensitive data, hijacking the user session, or performing unauthorized actions against the site. The flaw is a classic input‑validation weakness catalogued as CWE‑79 and the reported CVSS score of 5.3 indicates moderate severity.

The affected product is AlgoNetLab’s OrcaStatLLM‑Researcher, version 1.x as referenced by the CPE string. No other vendors or versions are listed, so the risk applies to installations of this particular LLM‑based research paper generator in the identified version range.

The vulnerability is scored with a CVSS of 5.3 and an EPSS below 1%, implying that exploitation is considered unlikely at present. The flaw is not listed in the CISA KEV catalog. The attack requires an attacker to supply a malicious research topic that becomes part of a stored log entry, and for the victim to later view the session page where the log is displayed. This is a traditional web‑application based stored XSS vector, likely reachable by any authenticated or unauthenticated user depending on the application’s logging policy.