CVE-2026-24903
Stored XSS in OrcaStatLLM Researcher Log Message Allows Code Execution
Publication date: 2026-02-06
Last updated on: 2026-02-24
Assigner: GitHub, Inc.
Description
Description
CVSS Scores
EPSS Scores
| Probability: | |
| Percentile: |
Meta Information
Affected Vendors & Products
| Vendor | Product | Version / Range |
|---|---|---|
| algonet | orcastatllm_researcher | 1 |
Helpful Resources
Exploitability
| CWE ID | Description |
|---|---|
| CWE-79 | The product does not neutralize or incorrectly neutralizes user-controllable input before it is placed in output that is used as a web page that is served to other users. |
Attack-Flow Graph
AI Powered Q&A
How does this vulnerability affect compliance with common standards and regulations (like GDPR, HIPAA)?:
This vulnerability can negatively impact compliance with common standards and regulations such as GDPR and HIPAA.
Because it allows unauthorized access to sensitive data, including credentials and research data, it can lead to data breaches that violate data protection requirements.
Such breaches may result in non-compliance with regulations that mandate the protection of personal and sensitive information, potentially leading to legal penalties and reputational harm.
Can you explain this vulnerability to me?
[{'type': 'paragraph', 'content': 'CVE-2026-24903 is a Stored Cross-Site Scripting (XSS) vulnerability in the OrcaStatLLM-Researcher package. It occurs because the application improperly handles user input in the web interface, specifically through malicious inputs in the "Research Topic" field.'}, {'type': 'paragraph', 'content': "The vulnerability arises from unsafe use of the `innerHTML` property to render log messages without sanitization, allowing attackers to inject and execute arbitrary JavaScript code in victims' browsers."}, {'type': 'paragraph', 'content': 'Additionally, the marked.js library is configured with sanitization disabled, which allows raw HTML to be processed and rendered, further enabling the XSS attack.'}, {'type': 'paragraph', 'content': "An attacker can exploit this by entering a crafted payload (e.g., `<img src=x onerror=alert('XSS-Vulnerability')>`) into the Research Topic field, which then executes malicious JavaScript when the research is generated."}] [1]
How can this vulnerability impact me? :
This vulnerability can have several serious impacts including:
- Session hijacking, allowing attackers to take over user sessions.
- Credential theft, including passwords and API keys.
- Account takeover by unauthorized users.
- Data exfiltration of sensitive research data and API keys (e.g., Gemini, Google CSE).
- Malware distribution through redirection to malicious sites.
- Phishing attacks via fake login forms within the trusted application.
Overall, this can lead to unauthorized access, exposure of sensitive credentials, reputational damage, and potential legal or regulatory consequences.
How can this vulnerability be detected on my network or system? Can you suggest some commands?
[{'type': 'paragraph', 'content': 'This Stored Cross-Site Scripting (XSS) vulnerability can be detected by testing the web interface of OrcaStatLLM-Researcher, specifically the "Research Topic" input field on the session page.'}, {'type': 'paragraph', 'content': "A practical detection method is to input a crafted payload such as <img src=x onerror=alert('XSS-Vulnerability')> into the Research Topic field and observe if the JavaScript executes upon generating research."}, {'type': 'paragraph', 'content': "This confirms the presence of the vulnerability as the malicious script executes in the victim's browser."}, {'type': 'paragraph', 'content': 'Since the vulnerability arises from unsafe use of innerHTML without sanitization, manual code review focusing on the function addLogEntry in templates/session.html (lines 1204-1208) can also help detect the issue.'}, {'type': 'paragraph', 'content': 'No specific network commands are provided, but running the application locally or via Docker and performing the above input test is recommended.'}] [1]
What immediate steps should I take to mitigate this vulnerability?
Immediate mitigation steps include sanitizing user inputs before rendering them in the web interface to prevent injection of malicious scripts.
Specifically, avoid using innerHTML to assign user-controlled content without proper sanitization.
Implement security libraries such as DOMPurify to sanitize HTML content before rendering.
Configure the marked.js library with sanitization enabled instead of sanitize: false to prevent raw HTML processing.
Until a patched release is available, restrict access to the vulnerable interface or disable the feature that allows research topic inputs if possible.
Refer to OWASP XSS Prevention Cheat Sheet and CWE-79 guidelines for best practices in preventing XSS vulnerabilities.