Skip to main content

Loris CVE-2026-35400

| EUVDEUVD-2026-20576 LOW
Improper Link Resolution Before File Access (CWE-59)
2026-04-08 GitHub_M
3.5
CVSS 3.1 · GitHub Advisory

Severity by source

GitHub Advisory PRIMARY
3.5 LOW
AV:N/AC:L/PR:L/UI:R/S:U/C:N/I:L/A:N

Primary rating from GitHub Advisory · only source for this CVE.

CVSS VectorGitHub Advisory

CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:U/C:N/I:L/A:N
Attack Vector
Network
Attack Complexity
Low
Privileges Required
Low
User Interaction
Required
Scope
Unchanged
Confidentiality
None
Integrity
Low
Availability
None

Lifecycle Timeline

4
Patch available
Apr 16, 2026 - 05:29 EUVD
27.0.3,28.0.1
EUVD ID Assigned
Apr 08, 2026 - 19:31 euvd
EUVD-2026-20576
Analysis Generated
Apr 08, 2026 - 19:31 vuln.today
CVE Published
Apr 08, 2026 - 18:26 nvd
LOW 3.5

DescriptionGitHub Advisory

LORIS (Longitudinal Online Research and Imaging System) is a self-hosted web application that provides data- and project-management for neuroimaging research. From 20.0.0 to before 27.0.3 and 28.0.1, an endpoint in the publication module was incorrectly trusting the baseURL submitted by a user's POST request rather than the internal LORIS value. This could result in a theoretical attacker with publication module access forging an email to an external domain under the attacker's control which appeared to come from LORIS. This vulnerability is fixed in 27.0.3 and 28.0.1.

AnalysisAI

LORIS (Longitudinal Online Research and Imaging System) versions 20.0.0 through 27.0.2 and 28.0.0 allow authenticated users with publication module access to forge emails appearing to originate from LORIS by submitting a malicious baseURL parameter in POST requests, enabling email spoofing attacks against external recipients. The vulnerability requires user interaction (email recipient click) and publication module privileges but could facilitate social engineering or phishing campaigns. Fixed in versions 27.0.3 and 28.0.1.

Technical ContextAI

LORIS is a self-hosted neuroimaging research data management platform. The vulnerability exists in the publication module's email generation endpoint, which fails to validate and sanitize the baseURL parameter submitted by users in POST requests. Instead of using the internally-configured LORIS baseURL value (which represents the legitimate server domain), the application trusts user-supplied input to construct email content. This violates the principle of trusting only authoritative internal configuration sources for security-critical values like email sender domains. The root cause is improper input validation and reliance on untrusted user input (CWE-59: Improper Link Resolution Before File Access, though more accurately CWE-20: Improper Input Validation) for constructing email headers and content that should derive exclusively from server configuration.

RemediationAI

Upgrade LORIS to version 27.0.3 or later if running the 27.x branch, or upgrade to version 28.0.1 or later if running the 28.x branch. Organizations unable to upgrade immediately should restrict publication module access to trusted internal staff only and monitor email logs for anomalous baseURL parameters in POST requests to publication endpoints. Security advisory details are available at https://github.com/aces/Loris/security/advisories/GHSA-6prw-34x8-3gpg. Review access controls for the publication module to limit exposure to users who have legitimate need for that functionality.

Share

CVE-2026-35400 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy