CVE-2026-10173 MEDIUM

CVE-2026-10173: Orthanc Explorer 2 URL StudyList.vue cross site scripting

Vendor Orthanc
Product Explorer 2
Weakness CWE-79 · XSS
Published May 31, 2026
Last update June 1, 2026
View on NVD All CVEs

CVSS base score

5.3/10
Attack vector Network
Attack complexity Low
Privileges required None
User interaction
Confidentiality
Integrity

CVSS vector

CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:P/VC:N/VI:L/VA:N/SC:N/SI:N/SA:N/E:P

What the vulnerability does

01Description

A weakness has been identified in Orthanc Explorer 2 up to 1.12.0. The impacted element is an unknown function of the file WebApplication/src/components/StudyList.vue of the component URL Handler. This manipulation of the argument remote-source causes cross site scripting. It is possible to initiate the attack remotely. The exploit has been made available to the public and could be used for attacks. Patch name: 21f78ce5da668bf5233efcd1896ec7c6e3b22eae. Applying a patch is the recommended action to fix this issue.

Key dates

02Disclosure timeline

May 31, 2026 CVE published
June 1, 2026 Record updated

Related vulnerabilities

04Related CVE

CVE-2024-50439 WordPress Astra Widgets plugin <= 1.2.14 - Stored Cross Site Scripting (XSS) vulnerability CVE-2025-30899 WordPress User Registration plugin <= 4.0.3 - Cross Site Scripting (XSS) vulnerability CVE-2024-56069 WordPress WP SuperBackup plugin <= 2.3.3 - Reflected Cross Site Scripting (XSS) vulnerability CVE-2026-9608 QianFox FoxCMS Administrator Backend edit cross site scripting CVE-2023-43657 Improper escaping of encrypted topic titles can lead to Cross-site Scripting under non-default site configuration