Orca · Orca Heat Pump · CVE-2026-25599
**Name of the Vulnerable Software and Affected Versions**
Orca heat pump devices (affected versions not specified)
**Description**
Missing authentication and clear-text transmission of data from heat pumps to the control server, combined with a lack of input validation on aggregated data, allow for stored Cross-Site Scripting (XSS). This occurs because older devices communicate with the Orca server via unencrypted and unauthenticated HTTP connections on non-secure ports. An attacker can impersonate a legitimate device to inject malicious payloads into the Orca user portal, which may lead to the theft of cookies from the web control interface, compromise of user accounts, and exposure of sensitive information.
**Recommendations**
At the moment, there is no information about a newer version that contains a fix for this vulnerability.