CVE-2026-10173 Overview
CVE-2026-10173 is a reflected cross-site scripting (XSS) vulnerability in Orthanc Explorer 2 versions up to and including 1.12.0. The flaw resides in the URL Handler component, specifically within the WebApplication/src/components/StudyList.vue file. Attackers can manipulate the remote-source argument to inject malicious script content that executes in the context of a victim's browser session. The exploit has been published, making the vulnerability accessible to remote attackers who can lure a user into interacting with a crafted URL. A patch identified by commit 21f78ce5da668bf5233efcd1896ec7c6e3b22eae is available from the project maintainers.
Critical Impact
Remote attackers can execute arbitrary JavaScript in an authenticated user's browser session by tricking the user into clicking a malicious link targeting the remote-source URL parameter.
Affected Products
- Orthanc Explorer 2 versions up to and including 1.12.0
- The StudyList.vue component within the URL Handler
- Deployments exposing Orthanc Explorer 2 over the network
Discovery Timeline
- 2026-05-31 - CVE-2026-10173 published to NVD
- 2026-06-01 - Last updated in NVD database
Technical Details for CVE-2026-10173
Vulnerability Analysis
The vulnerability is classified as cross-site scripting under [CWE-79]. Orthanc Explorer 2 fails to properly sanitize or encode the remote-source URL parameter before rendering it through the StudyList.vue Vue.js component. When a user navigates to a crafted URL containing attacker-controlled markup or script content, the application reflects that input back into the rendered DOM without adequate output encoding.
The attack requires user interaction, typically a click on a malicious link, which limits unsolicited mass exploitation. However, the network attack vector and lack of authentication requirements make targeted phishing scenarios viable. EPSS data indicates a probability of 0.036% with a percentile of 11.175, reflecting low observed exploit activity at this time despite the public availability of proof-of-concept code.
Root Cause
The root cause is improper neutralization of input during web page generation in the StudyList.vue component. The remote-source query parameter is consumed by the URL Handler and rendered into the page without contextual output escaping. Vue.js applications are generally safe against XSS by default, but use of unsafe rendering directives such as v-html or direct DOM manipulation with untrusted input can bypass those protections.
Attack Vector
An attacker crafts a URL pointing to the Orthanc Explorer 2 interface that includes a malicious payload in the remote-source parameter. The attacker delivers the URL through phishing, chat, or embedded links on third-party sites. When a victim with an active session clicks the link, the injected script executes in the browser, enabling actions such as session token theft, DICOM study manipulation through authenticated API calls, or pivoting to other Orthanc services.
The vulnerability manifests when the unsanitized remote-source value is passed into the rendering pipeline of StudyList.vue. Refer to the GitHub Issue Tracker and the GitHub Commit Log for the specific code changes that address this flaw.
Detection Methods for CVE-2026-10173
Indicators of Compromise
- HTTP requests to Orthanc Explorer 2 endpoints containing remote-source parameter values with <script>, javascript:, onerror=, or encoded HTML entities
- Outbound requests from user browsers to unfamiliar domains shortly after accessing the Orthanc Explorer 2 interface
- Web server access logs showing unusual referrers or long URL-encoded payloads targeting Orthanc Explorer 2 routes
Detection Strategies
- Inspect web proxy and WAF logs for query strings on Orthanc Explorer 2 URLs that contain script tags, event handlers, or base64-encoded payloads
- Deploy Content Security Policy (CSP) violation reporting to surface attempts to load inline scripts or untrusted external resources
- Correlate authenticated Orthanc API actions with unusual user-agent or timing patterns suggesting browser-based session abuse
Monitoring Recommendations
- Enable verbose access logging on the reverse proxy fronting Orthanc Explorer 2 and retain query parameters for forensic review
- Alert on Orthanc Explorer 2 versions running at or below 1.12.0 discovered through asset inventory or vulnerability scanning
- Monitor the VulDB Vulnerability Profile and the project's GitHub repository for additional advisories or related fixes
How to Mitigate CVE-2026-10173
Immediate Actions Required
- Upgrade Orthanc Explorer 2 to a release that incorporates commit 21f78ce5da668bf5233efcd1896ec7c6e3b22eae or later
- Restrict access to Orthanc Explorer 2 to trusted networks using VPN or IP allowlisting until patching is complete
- Notify users of the deployment to avoid clicking unsolicited links that point to the Orthanc Explorer 2 hostname
Patch Information
The upstream fix is published as commit 21f78ce5da668bf5233efcd1896ec7c6e3b22eae. Administrators should pull the latest release that includes this commit from the orthanc-server GitHub repository and redeploy the web application. Verify the deployed version after upgrade and clear browser caches for affected users.
Workarounds
- Deploy a Web Application Firewall (WAF) rule that blocks remote-source parameter values containing script tags, event handler attributes, or encoded HTML markup
- Enforce a strict Content Security Policy that disallows inline scripts and restricts script sources to known origins
- Disable or restrict access to the URL Handler functionality if it is not required for operational workflows
# Example nginx configuration to block obvious XSS payloads in remote-source
location / {
if ($args ~* "remote-source=[^&]*(<script|javascript:|onerror=|onload=)") {
return 403;
}
add_header Content-Security-Policy "default-src 'self'; script-src 'self'; object-src 'none'; base-uri 'self'";
proxy_pass http://orthanc_explorer_backend;
}
Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.
