orthanc-server CVE Vulnerabilities & Metrics

Focus on orthanc-server vulnerabilities and metrics.

Last updated: 01 Aug 2025, 22:25 UTC

About orthanc-server Security Exposure

This page consolidates all known Common Vulnerabilities and Exposures (CVEs) associated with orthanc-server. We track both calendar-based metrics (using fixed periods) and rolling metrics (using gliding windows) to give you a comprehensive view of security trends and risk evolution. Use these insights to assess risk and plan your patching strategy.

For a broader perspective on cybersecurity threats, explore the comprehensive list of CVEs by vendor and product. Stay updated on critical vulnerabilities affecting major software and hardware providers.

Global CVE Overview

Total orthanc-server CVEs: 4
Earliest CVE date: 29 Jun 2023, 15:15 UTC
Latest CVE date: 13 Feb 2025, 02:15 UTC

Latest CVE reference: CVE-2025-0896

Rolling Stats

30-day Count (Rolling): 0
365-day Count (Rolling): 1

Calendar-based Variation

Calendar-based Variation compares a fixed calendar period (e.g., this month versus the same month last year), while Rolling Growth Rate uses a continuous window (e.g., last 30 days versus the previous 30 days) to capture trends independent of calendar boundaries.

Variations & Growth

Month Variation (Calendar): 0%
Year Variation (Calendar): -50.0%

Month Growth Rate (30-day Rolling): 0.0%
Year Growth Rate (365-day Rolling): -50.0%

Monthly CVE Trends (current vs previous Year)

Annual CVE Trends (Last 20 Years)

Critical orthanc-server CVEs (CVSS ≥ 9) Over 20 Years

CVSS Stats

Average CVSS: 0.0

Max CVSS: 0

Critical CVEs (≥9): 0

CVSS Range vs. Count

Range	Count
0.0-3.9	4
4.0-6.9	0
7.0-8.9	0
9.0-10.0	0

CVSS Distribution Chart

Top 5 Highest CVSS orthanc-server CVEs

These are the five CVEs with the highest CVSS scores for orthanc-server, sorted by severity first and recency.

CVE-2025-0896 orthanc-server Published on 13 Feb 2025, 02:15 UTC (CVSS: 0)
Orthanc server prior to version 1.5.8 does not enable basic authentication by default when remote access is enabled. This could result in unauthorized access by an attacker.
CVE-2024-22725 orthanc-server Published on 24 Jan 2024, 16:15 UTC (CVSS: 0)
Orthanc versions before 1.12.2 are affected by a reflected cross-site scripting (XSS) vulnerability. The vulnerability was present in the server's error reporting.
CVE-2023-7238 orthanc-server Published on 23 Jan 2024, 20:15 UTC (CVSS: 0)
A XSS payload can be uploaded as a DICOM study and when a user tries to view the infected study inside the Osimis WebViewer the XSS vulnerability gets triggered. If exploited, the attacker will be able to execute arbitrary JavaScript code inside the victim's browser.
CVE-2023-33466 orthanc-server Published on 29 Jun 2023, 15:15 UTC (CVSS: 0)
Orthanc before 1.12.0 allows authenticated users with access to the Orthanc API to overwrite arbitrary files on the file system, and in specific deployment scenarios allows the attacker to overwrite the configuration, which can be exploited to trigger Remote Code Execution (RCE).

All CVEs for orthanc-server

CVE-2025-0896 orthanc-server vulnerability CVSS: 0 13 Feb 2025, 02:15 UTC

Orthanc server prior to version 1.5.8 does not enable basic authentication by default when remote access is enabled. This could result in unauthorized access by an attacker.

CVE-2024-22725 orthanc-server vulnerability CVSS: 0 24 Jan 2024, 16:15 UTC

Orthanc versions before 1.12.2 are affected by a reflected cross-site scripting (XSS) vulnerability. The vulnerability was present in the server's error reporting.

CVE-2023-7238 orthanc-server vulnerability CVSS: 0 23 Jan 2024, 20:15 UTC

A XSS payload can be uploaded as a DICOM study and when a user tries to view the infected study inside the Osimis WebViewer the XSS vulnerability gets triggered. If exploited, the attacker will be able to execute arbitrary JavaScript code inside the victim's browser.

CVE-2023-33466 orthanc-server vulnerability CVSS: 0 29 Jun 2023, 15:15 UTC

Orthanc before 1.12.0 allows authenticated users with access to the Orthanc API to overwrite arbitrary files on the file system, and in specific deployment scenarios allows the attacker to overwrite the configuration, which can be exploited to trigger Remote Code Execution (RCE).