CVE-2026-10173
Deferred Deferred - Pending Action
Cross-Site Scripting in Orthanc Explorer 2

Publication date: 2026-05-31

Last updated on: 2026-05-31

Assigner: VulDB

Description
A weakness has been identified in Orthanc Explorer 2 up to 1.12.0. The impacted element is an unknown function of the file WebApplication/src/components/StudyList.vue of the component URL Handler. This manipulation of the argument remote-source causes cross site scripting. It is possible to initiate the attack remotely. The exploit has been made available to the public and could be used for attacks. Patch name: 21f78ce5da668bf5233efcd1896ec7c6e3b22eae. Applying a patch is the recommended action to fix this issue.
CVSS Scores
EPSS Scores
Probability:
Percentile:
Meta Information
Published
2026-05-31
Last Modified
2026-05-31
Generated
2026-06-20
AI Q&A
2026-05-31
EPSS Evaluated
2026-06-19
NVD
CVE-2026-10173
EUVD
EUVD-2026-33493
Affected Vendors & Products
Showing 1 associated CPE
Vendor Product Version / Range
orthanc orthanc_explorer to 1.12.0 (inc)
Helpful Resources
Exploitability
CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-94 The product constructs all or part of a code segment using externally-influenced input from an upstream component, but it does not neutralize or incorrectly neutralizes special elements that could modify the syntax or behavior of the intended code segment.
CWE-79 The product does not neutralize or incorrectly neutralizes user-controllable input before it is placed in output that is used as a web page that is served to other users.
Attack-Flow Graph
AI Quick Actions
Instant insights powered by AI
Executive Summary

The CVE-2026-10173 vulnerability is a reflected Cross-Site Scripting (XSS) attack in Orthanc Explorer 2. It occurs because the application improperly handles the 'remote-source' URL query parameter by not sanitizing it before use. This unsanitized input is injected into a Vue.js internationalization translation string and rendered using 'v-html', which allows an attacker to execute arbitrary JavaScript code in the victim's browser.

An attacker can craft a malicious URL containing an XSS payload in the 'remote-source' parameter. When a victim accesses this URL, the payload executes without requiring authentication or prior access, making the attack easy to perform remotely.

Impact Analysis

Exploitation of this vulnerability can lead to several serious impacts including session hijacking, unauthorized actions performed on behalf of the victim, exposure of sensitive medical data, and further client-side attacks.

Because no authentication or prior access is needed, attackers can easily use malicious URLs in shared environments such as emails or internal systems to compromise users.

Detection Guidance

This vulnerability can be detected by monitoring for suspicious or malicious URLs containing the `remote-source` parameter with potentially harmful payloads. Since the vulnerability involves reflected Cross-Site Scripting (XSS) via the `remote-source` URL query parameter, detection can focus on identifying such crafted URLs being accessed or logged.

You can use network monitoring tools or web server logs to search for requests containing the `remote-source` parameter with suspicious content.

  • Use grep or similar tools on web server logs to find requests with the `remote-source` parameter, for example: `grep -i 'remote-source=' /var/log/nginx/access.log`
  • Use intrusion detection systems (IDS) or web application firewalls (WAF) to detect or block requests with suspicious scripts or encoded payloads in the `remote-source` parameter.
  • Manually test the application by crafting URLs with XSS payloads in the `remote-source` parameter to see if the payload executes, indicating vulnerability.
Mitigation Strategies

The recommended immediate step to mitigate this vulnerability is to apply the official patch identified by commit 21f78ce5da668bf5233efcd1896ec7c6e3b22eae.

This patch upgrades the vue-i18n library and introduces sanitization of the `remote-source` input in the StudyList component, preventing the injection of malicious scripts.

Until the patch can be applied, consider implementing input validation or filtering on the `remote-source` parameter to block or sanitize suspicious inputs.

Additionally, use web application firewalls (WAF) to detect and block XSS attack attempts targeting this parameter.

Compliance Impact

The vulnerability allows for reflected Cross-Site Scripting (XSS) attacks that can lead to session hijacking, unauthorized actions, and exposure of sensitive medical data.

Exposure of sensitive medical data through such attacks can negatively impact compliance with regulations like HIPAA, which mandates the protection of patient health information.

Similarly, GDPR requires protection of personal data and breach prevention; exploitation of this vulnerability could result in unauthorized data access or leakage, thus affecting GDPR compliance.

Therefore, until patched, this vulnerability poses a risk to maintaining compliance with standards that require safeguarding sensitive or personal data.

Chat Assistant
Ask questions about this CVE
Hi! I’m here to help you understand CVE-2026-10173. Ask me anything about the vulnerability, its impact, or mitigation strategies.
0/70
EPSS Chart