CVE-2026-10173 Orthanc CVE debrief

Who should care

Healthcare organizations using Orthanc Explorer 2 for DICOM medical imaging management; security teams defending web-based medical imaging interfaces; developers maintaining Vue.js applications handling URL parameters.

Technical summary

The vulnerability is a cross-site scripting flaw in Orthanc Explorer 2 versions up to 1.12.0. The affected component is the URL handler in `WebApplication/src/components/StudyList.vue`. The `remote-source` argument is vulnerable to injection of malicious scripts. Successful exploitation requires remote attack initiation with user interaction. The exploit has been publicly disclosed. The fix is contained in commit 21f78ce5da668bf5233efcd1896ec7c6e3b22eae.

Defensive priority

medium

Recommended defensive actions

• Apply the patch from commit 21f78ce5da668bf5233efcd1896ec7c6e3b22eae to remediate this vulnerability.
• Upgrade to a fixed version of Orthanc Explorer 2 beyond 1.12.0 when available.
• Implement Content Security Policy (CSP) headers to mitigate impact of any residual XSS vectors.
• Validate and sanitize all user-controllable input, particularly URL parameters like remote-source, before DOM insertion.
• Review WebApplication/src/components/StudyList.vue for additional unescaped output contexts.

Evidence notes

The vulnerability was reported to VulDB (submission 819559) and assigned CVE-2026-10173. The issue was tracked as GitHub issue #108 in the orthanc-server/orthanc-explorer-2 repository. The fix was committed by rafaelsouzars. CVSS 4.0 vector: CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:P/VC:N/VI:L/VA:N/SC:N/SI:N/SA:N/E:P/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X. CWE-79 (Improper Neutralization of Input During Web Page Generation) and CWE-94 (Improper Control of Generation of Code) are identified as associated weaknesses.

Official resources