Skip to main content

Loris CVE-2026-35169

| EUVDEUVD-2026-20574 HIGH
Cross-site Scripting (XSS) (CWE-79)
2026-04-08 GitHub_M
8.7
CVSS 3.1 · GitHub Advisory
Share

Severity by source

GitHub Advisory PRIMARY
8.7 HIGH
AV:N/AC:L/PR:L/UI:R/S:C/C:H/I:H/A:N

Primary rating from GitHub Advisory · only source for this CVE.

CVSS VectorGitHub Advisory

CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:H/I:H/A:N
Attack Vector
Network
Attack Complexity
Low
Privileges Required
Low
User Interaction
Required
Scope
Changed
Confidentiality
High
Integrity
High
Availability
None

Lifecycle Timeline

7
Re-analysis Queued
Apr 21, 2026 - 20:22 vuln.today
cvss_changed
Analysis Updated
Apr 16, 2026 - 06:01 EUVD-patch-fix
executive_summary
Re-analysis Queued
Apr 16, 2026 - 05:29 backfill_euvd_patch
patch_released
Patch available
Apr 16, 2026 - 05:29 EUVD
28.0.1,27.0.3
EUVD ID Assigned
Apr 08, 2026 - 19:31 euvd
EUVD-2026-20574
Analysis Generated
Apr 08, 2026 - 19:31 vuln.today
CVE Published
Apr 08, 2026 - 18:24 nvd
HIGH 8.7

DescriptionGitHub Advisory

LORIS (Longitudinal Online Research and Imaging System) is a self-hosted web application that provides data- and project-management for neuroimaging research. From to before 27.0.3 and 28.0.1, the help_editor module of LORIS did not properly sanitize some user supplied variables which could result in a reflected cross-site scripting attack if a user is tricked into following an invalid link. The same input vector could also allow an attacker to download arbitrary markdown files on an unpatched server. This vulnerability is fixed in 27.0.3 and 28.0.1.

AnalysisAI

Reflected cross-site scripting and arbitrary markdown file download in LORIS help_editor module affects versions prior to 27.0.3 and 28.0.1. Improper input sanitization allows authenticated attackers with low privileges to execute malicious scripts in victim browsers (requiring user interaction) and exfiltrate markdown files from the server. Attack requires network access and social engineering to trick users into following crafted links. No public exploit identified at time of analysis.

Technical ContextAI

CWE-79 reflected XSS stems from insufficient input validation in help_editor module user-supplied variables. Dual exploitation path: malicious payloads reflect into HTML responses causing script execution, while same injection vector enables path traversal to retrieve arbitrary markdown files. CVSS vector PR:L indicates authenticated context; UI:R confirms social engineering dependency. Scope change (S:C) reflects cross-domain impact potential.

RemediationAI

Vendor-released patches: upgrade to LORIS version 27.0.3 for 27.x deployments or 28.0.1 for 28.x deployments, which implement proper input sanitization in the help_editor module. Consult the official security advisory at https://github.com/aces/Loris/security/advisories/GHSA-j2p3-58m2-v6q3 for upgrade instructions and additional context. If immediate patching is not feasible, restrict access to the help_editor module to only trusted administrative users, implement web application firewall rules to detect reflected XSS patterns in help_editor parameters, and audit markdown file permissions to prevent unauthorized access. Deploy Content Security Policy headers to mitigate XSS execution impact as a defense-in-depth measure.

Share

CVE-2026-35169 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy