CVE-2026-24903 – A stored cross-site scripting (XSS) vulnerabili... (How to Fix)

Q: What is the severity of CVE-2026-24903?

CVE-2026-24903 has a CVSS score of 5.4 (MEDIUM). A stored cross-site scripting (XSS) vulnerability in OrcaStatLLM Researcher allows attackers to inject malicious JavaScript code through research topic inputs. This code executes in victims' browsers when they view session logs, potentially compromising user accounts and data. Users of OrcaStatLLM Researcher are affected.

📋 TL;DR

A stored cross-site scripting (XSS) vulnerability in OrcaStatLLM Researcher allows attackers to inject malicious JavaScript code through research topic inputs. This code executes in victims' browsers when they view session logs, potentially compromising user accounts and data. Users of OrcaStatLLM Researcher are affected.

💻 Affected Systems

Products:

OrcaStatLLM Researcher

Versions: All versions prior to patch

Operating Systems: All platforms running the application

Default Config Vulnerable: ⚠️ Yes

Notes: Vulnerability exists in the session page log message functionality when processing research topic inputs.

📦 What is this software?

Orcastatllm Researcher by Algonet

View all CVEs affecting Orcastatllm Researcher →

⚠️ Risk & Real-World Impact

🔴

Worst Case

Attackers could steal session cookies, perform actions as authenticated users, redirect to malicious sites, or install malware on user systems.

🟠

Likely Case

Session hijacking, credential theft, and unauthorized actions performed in the context of logged-in users.

🟢

If Mitigated

Limited impact with proper input validation and output encoding, potentially only affecting user interface elements.

🌐 Internet-Facing: HIGH if the application is publicly accessible, as unauthenticated users could exploit it to target other users.

🏢 Internal Only: MEDIUM if restricted to internal networks, but still poses risk to authenticated users within the organization.

🎯 Exploit Status

Public PoC: ✅ No

Weaponized: UNKNOWN

Unauthenticated Exploit: ✅ No

Complexity: LOW

Exploitation requires ability to submit research topics, which typically requires some level of access to the application.

🛠️ Fix & Mitigation

✅ Official Fix

Patch Version: Check GitHub advisory for specific patched version

Vendor Advisory: https://github.com/AlgoNetLab/OrcaStatLLM-Researcher/security/advisories/GHSA-47wv-g894-82m4

Restart Required: Yes

Instructions:

1. Visit the GitHub security advisory
2. Update to the latest patched version
3. Restart the OrcaStatLLM Researcher application
4. Verify the fix by testing XSS payloads

🔧 Temporary Workarounds

Input Validation Filter

all

Implement server-side input validation to sanitize research topic inputs before processing

Implement input sanitization in research topic handler

Output Encoding

all

Apply proper HTML encoding to log message outputs before rendering in browser

Encode user-controlled data in session page templates

🧯 If You Can't Patch

Implement a web application firewall (WAF) with XSS protection rules
Disable or restrict access to the session page functionality

🔍 How to Verify

Check if Vulnerable:

Test by submitting a research topic with basic XSS payload like <script>alert('test')</script> and check if it executes in session logs

Check Version:

Check application version in settings or about page

Verify Fix Applied:

After patching, test the same XSS payload to confirm it's properly sanitized and doesn't execute

📡 Detection & Monitoring

Log Indicators:

Unusual research topic submissions containing script tags or JavaScript code
Multiple failed XSS attempts in logs

Network Indicators:

Unexpected JavaScript execution in session page responses
Suspicious outbound connections from user browsers

SIEM Query:

Search for research_topic fields containing script tags or JavaScript patterns in application logs

📊 Metadata

CVE ID: CVE-2026-24903

CVSS v3 Score: 5.4 (MEDIUM)

CVSS Vector: CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N

CWE: CWE-79

EPSS Score: 0.06% exploit probability (19.2th percentile)

Published: February 6, 2026

Last Updated: February 24, 2026

🔗 References

https://github.com/AlgoNetLab/OrcaStatLLM-Researcher/security/advisories/GHSA-47wv-g894-82m4 Exploit,Vendor Advisory

📤 Share & Export

📄 Export Markdown 📋 Export JSON

🔗 Related Vulnerabilities

If you're affected by CVE-2026-24903, you might also want to check these: