CVE-2026-25599 MEDIUM

CVE-2026-25599: Missing authentication and clear‑text data transmission affecting Orca heat pumps

Vendor Orca Energy
Product Orca heat pump
Weakness CWE-79 · XSS
Published June 1, 2026
Last update June 1, 2026
View on NVD All CVEs

CVSS base score

6.3/10
Attack vector Network
Attack complexity Low
Privileges required None
User interaction Required
Confidentiality Low
Integrity Low

CVSS vector

CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:L/I:L/A:L

What the vulnerability does

01Description

Missing authentication and clear‑text transmission of data from the heat pumps to the control server, combined with the absence of input validation on aggregated data, can lead to stored XSS that enables theft of cookies from the pump’s web control interface. Older Orca heat pump devices communicating with the Orca server over an unencrypted and unauthenticated HTTP connection on a non-secure port specifically enable an attacker to impersonate a legitimate device and inject malicious payloads. This enables the insertion of harmful code directly into the Orca user portal, potentially compromising user accounts, exposing sensitive information, and allowing further unauthorized actions within the portal.

Key dates

02Disclosure timeline

June 1, 2026 CVE published
June 1, 2026 Record updated

Related vulnerabilities

04Related CVE

CVE-2024-29918 WordPress Survey Maker plugin <= 4.0.6 - Reflected Cross Site Scripting (XSS) vulnerability CVE-2022-2887 WP Server Health Stats < 1.7.0 - Admin+ Stored Cross-Site Scripting CVE-2024-35733 WordPress Auto Coupons for WooCommerce plugin <= 3.0.14 - Reflected Cross Site Scripting (XSS) vulnerability CVE-2019-25375 OPNsense 19.1 Reflected XSS via monit interface CVE-2023-5085 Advanced Menu Widget <= 0.4.1 - Authenticated (Contributor+) Stored Cross-Site Scripting via Shortcode