Stored XSS Vulnerability in Orca Heat Pumps by Orca
CVE-2026-25599

6.3MEDIUM

Key Information:

Vendor: Orca Energy
Status: Orca Heat Pump; Orca User Portal
Vendor: CVE Published:; 1 June 2026

🔔 Create Orca Energy Vulnerability Alert

What is CVE-2026-25599?

The Orca heat pumps suffer from a serious vulnerability due to missing authentication mechanisms and the transmission of data in clear text to the control server. An unencrypted and unauthenticated HTTP connection on a non-secure port allows attackers to impersonate legitimate devices. This vulnerability enables the injection of malicious payloads into the control interface of the Orca user portal. As a result, this can lead to the theft of user cookies, compromising user accounts and exposing sensitive information, alongside facilitating further unauthorized actions within the portal.

Affected Version(s)

Orca heat pump 0 < 2.1.0

Orca user portal 0 < 1.19

References

https://www.cert.si/en/cve-2026-25599/

CVSS V3.1

Score:

6.3

Severity:

MEDIUM

Confidentiality:

Low

Integrity:

Low

Availability:

Low

Attack Vector:

Network

Attack Complexity:

Low

Privileges Required:

None

User Interaction:

Required

Scope:

Unchanged

Download the Critical Vulnerability Management Cheat Sheet

Timeline

Vulnerability published
Jun 1, 2026
Vulnerability Reserved
Feb 3, 2026

Credit

Tom Kern, NIL d.o.o.

CVE-2026-25599 Data

JSON