What is CVE-2026-25599?

CVE-2026-25599 is a medium-severity vulnerability in Orca Energy Heat Pump, classified under Cross-site Scripting. CVSS score: 6.3/10. Published 2026-06-01.

How severe is CVE-2026-25599?

Medium severity. CVSS v3 base score is 6.3 out of 10.

XSS in Orca Energy Heat Pump

CVE-2026-25599

Missing authentication and clear‑text transmission of data from the heat pumps to the control server, combined with the absence of input validation on aggregated data, can lead to stored XSS that enables theft of cookies from the pump’s we…

Vulnerability class: XSS (Cross-Site Scripting)

EPSS: 0.000 (4.9th percentile) — read the EPSS interpretation.

CVSS v3 metric

CVSS v3 base score 6.3 (Medium). Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:L/I:L/A:L.

Affected products

Orca Energy Heat Pump — versions 0
Orca Energy User Portal — versions 0

Weakness classification (CWE)

CWE-79 — Cross-site Scripting
CWE-306 — Missing Authentication for Critical Function
CWE-319 — Cleartext Transmission of Sensitive Information

References

a6d3dc9e-0591-4a13-bce7-0f5b31ff6158

Frequently asked questions

What is CVE-2026-25599?: CVE-2026-25599 is a medium-severity vulnerability in Orca Energy Heat Pump, classified under Cross-site Scripting. CVSS score: 6.3/10. Published 2026-06-01.
How severe is CVE-2026-25599?: Medium severity. CVSS v3 base score is 6.3 out of 10.