CVE-2026-24903 is a stored Cross-Site Scripting (XSS) vulnerability classified under CWE-79 found in the OrcaStatLLM-Researcher product by AlgoNetLab. OrcaStatLLM-Researcher is an AI-driven tool designed to generate research papers based on user input. The vulnerability specifically resides in the Log Message feature on the Session Page, where user-supplied research topic inputs are improperly sanitized or neutralized before being rendered in the web interface. This improper input handling allows attackers to inject malicious JavaScript code that is stored on the server and executed in the browsers of users who view the affected page. The vulnerability does not require any privileges or authentication to exploit, but it does require user interaction, such as a victim visiting a crafted session page containing the malicious payload. The CVSS 4.0 vector indicates network attack vector (AV:N), low attack complexity (AC:L), no privileges required (PR:N), user interaction required (UI:P), and limited scope (S:L). The impact is primarily on confidentiality and integrity, as attackers can execute arbitrary scripts to steal session cookies, perform actions on behalf of users, or manipulate displayed content. No patches or known exploits are currently available, increasing the urgency for organizations to implement mitigations. The vulnerability affects versions up to and including version 1 of OrcaStatLLM-Researcher. Given the nature of the product, the vulnerability could be exploited in environments where research collaboration and document generation are frequent, potentially exposing sensitive academic or proprietary information.

For European organizations, especially those in academia, research institutions, and companies leveraging AI-based research tools, this vulnerability could lead to significant risks. Exploitation could result in session hijacking, unauthorized data access, or manipulation of research outputs, undermining trust and confidentiality. The stored XSS nature means that once injected, the malicious script persists and can affect multiple users, amplifying the impact. This could disrupt collaborative research workflows and expose sensitive intellectual property or personal data. Additionally, attackers could use the vulnerability as a foothold for further attacks within the network. The medium CVSS score reflects moderate risk; however, the potential for reputational damage and compliance issues under GDPR due to data exposure elevates the concern for European entities. Organizations relying on OrcaStatLLM-Researcher should assess their exposure and prioritize remediation to avoid operational and legal consequences.

To mitigate this vulnerability, organizations should implement strict input validation and sanitization on all user-supplied data, especially research topic inputs that are logged and displayed. Employ context-aware output encoding to neutralize any potentially malicious scripts before rendering in the browser. Utilize Content Security Policy (CSP) headers to restrict the execution of unauthorized scripts and reduce the impact of XSS attacks. Regularly audit and monitor logs and session pages for suspicious entries that could indicate exploitation attempts. Since no official patches are currently available, consider isolating or restricting access to the vulnerable OrcaStatLLM-Researcher instances until a fix is released. Educate users about the risks of clicking on untrusted links or session pages. Finally, implement web application firewalls (WAF) with rules designed to detect and block XSS payloads targeting this product.