Skip to main content

Loris EUVDEUVD-2026-20578

| CVE-2026-35403 MEDIUM
Cross-site Scripting (XSS) (CWE-79)
2026-04-08 GitHub_M
6.5
CVSS 3.1 · GitHub Advisory
Share

Severity by source

GitHub Advisory PRIMARY
6.5 MEDIUM
AV:N/AC:H/PR:L/UI:R/S:C/C:H/I:L/A:N

Primary rating from GitHub Advisory · only source for this CVE.

CVSS VectorGitHub Advisory

CVSS:3.1/AV:N/AC:H/PR:L/UI:R/S:C/C:H/I:L/A:N
Attack Vector
Network
Attack Complexity
High
Privileges Required
Low
User Interaction
Required
Scope
Changed
Confidentiality
High
Integrity
Low
Availability
None

Lifecycle Timeline

4
Patch available
Apr 16, 2026 - 05:29 EUVD
27.0.3,28.0.1
EUVD ID Assigned
Apr 08, 2026 - 19:31 euvd
EUVD-2026-20578
Analysis Generated
Apr 08, 2026 - 19:31 vuln.today
CVE Published
Apr 08, 2026 - 18:27 nvd
MEDIUM 6.5

DescriptionGitHub Advisory

LORIS (Longitudinal Online Research and Imaging System) is a self-hosted web application that provides data- and project-management for neuroimaging research. From 15.10 to before 27.0.3 and 28.0.1, there is a potential for a cross-site scripting attack in the survey_accounts module if a user provides an invalid visit label. While the data is properly JSON encoded, the Content-Type header is not set causing the web browser to interpret the payload as HTML, opening the possibility of a cross-site scripting if a user is tricked into following an invalid link. This vulnerability is fixed in 27.0.3 and 28.0.1.

AnalysisAI

Cross-site scripting (XSS) in LORIS survey_accounts module (versions 15.10 through 27.0.2 and 28.0.0) allows authenticated users with low privileges to inject malicious scripts via invalid visit labels. The vulnerability arises because responses are JSON-encoded but lack a proper Content-Type header, causing browsers to interpret the payload as HTML. An attacker can trick a victim into following a crafted link to execute arbitrary JavaScript in the victim's browser context, potentially compromising sensitive neuroimaging research data. Fixed in versions 27.0.3 and 28.0.1.

Technical ContextAI

LORIS is a self-hosted research data management platform for longitudinal neuroimaging studies. The survey_accounts module processes visit label inputs from authenticated users. The root cause (CWE-79: Improper Neutralization of Input During Web Page Generation) stems from a Content-Type header misconfiguration rather than inadequate output encoding. While JSON data itself is properly encoded, the missing or incorrect Content-Type header (likely text/html instead of application/json) causes the browser's MIME-sniffing behavior to interpret the response as HTML rather than structured data, allowing embedded scripts to execute. The vulnerability requires an authenticated user (PR:L) and user interaction (UI:R), limiting the attack surface to research team members with valid credentials who can be socially engineered.

RemediationAI

Vendor-released patches are available: LORIS 27.0.3 and 28.0.1 or later. Users running affected versions should upgrade immediately to either the 27.0.3 release (if on the 27.x branch) or 28.0.1 (if on the 28.x branch). The patch corrects the Content-Type header handling in the survey_accounts module to ensure responses are properly labeled as application/json, preventing browser MIME-sniffing attacks. No workarounds are documented; patching is the primary remediation. Refer to the GitHub Security Advisory at https://github.com/aces/Loris/security/advisories/GHSA-776p-5pwh-vc8p for detailed upgrade instructions and rollout guidance.

Share

EUVD-2026-20578 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy