PatchSiren

Orthanc CVE debriefs

These pages are published after PatchSiren validates generated defensive summaries against stored public CVE and source evidence.

LOW Orthanc CVE published 2026-05-31

CVE-2026-10173

A stored cross-site scripting (XSS) vulnerability exists in Orthanc Explorer 2 up to version 1.12.0. The flaw resides in the URL handler within `WebApplication/src/components/StudyList.vue`, where the `remote-source` argument is not properly sanitized before rendering. An attacker can inject malicious scripts through this parameter, which execute in the context of a victim's browser session when interacti [truncated]

CRITICAL Orthanc CVE published 2025-02-06

CVE-2025-0896

CVE-2025-0896 affects Orthanc Server versions prior to 1.5.8. According to the CISA CSAF advisory, when remote access is enabled, basic authentication is not enabled by default, which can leave the service open to unauthorized access. The advisory rates the issue CVSS 9.8 (Critical). Orthanc advises updating to the latest version or explicitly enabling HTTP authentication by setting AuthenticationEnabled [truncated]

HIGH Orthanc CVE published 2024-01-23

CVE-2023-7238

A stored cross-site scripting (XSS) vulnerability exists in the Orthanc Osimis WebViewer, a DICOM medical imaging viewer used in healthcare environments. The flaw allows an attacker to embed malicious JavaScript payloads within DICOM study metadata. When a healthcare practitioner or administrator subsequently views the compromised study through the web interface, the embedded script executes in the victim [truncated]