CVE-2026-25599EPSS p1.8%

CVE-2026-25599CVE-2026-25599

Description

Missing authentication and clear‑text transmission of data from the heat pumps to the control server, combined with the absence of input validation on aggregated data, can lead to stored XSS that enables theft of cookies from the pump’s web control interface. Older Orca heat pump devices communicating with the Orca server over an unencrypted and unauthenticated HTTP connection on a non-secure port specifically enable an attacker to impersonate a legitimate device and inject malicious payloads. This enables the insertion of harmful code directly into the Orca user portal, potentially compromising user accounts, exposing sensitive information, and allowing further unauthorized actions within the portal.

Scoring

CVSS 6.3 ()
VectorCVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:L/I:L/A:L
EPSS0.11% probability of exploitation · percentile 1.8% · 2026-06-19T12:03:05Z
Last modified2026-06-01

Related by meaning· 6

Nearest entities by semantic similarity across the cs-graph corpus.

CVE
CVE-2025-6260
CVE
CVE-2025-1387
CVE
CVE-2025-41709
CVE
CVE-2026-5300
CVE
CVE-2025-6185
CVE
CVE-2026-5302
Sourced from NVD + FIRST.org EPSS. Curated for EU compliance use cases by Adam Lundqvist, Founder at SQUR.