{"dataType": "CVE_RECORD", "dataVersion": "5.2", "cveMetadata": {"cveId": "CVE-2026-35169", "assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "state": "PUBLISHED", "assignerShortName": "GitHub_M", "dateReserved": "2026-04-01T17:26:21.133Z", "datePublished": "2026-04-08T18:24:27.757Z", "dateUpdated": "2026-04-09T14:21:17.788Z"}, "containers": {"cna": {"title": "LORIS has potential cross-site scripting in help_editor module", "problemTypes": [{"descriptions": [{"cweId": "CWE-79", "lang": "en", "description": "CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')", "type": "CWE"}]}, {"descriptions": [{"cweId": "CWE-552", "lang": "en", "description": "CWE-552: Files or Directories Accessible to External Parties", "type": "CWE"}]}], "metrics": [{"cvssV3_1": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "NONE", "baseScore": 8.7, "baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "LOW", "scope": "CHANGED", "userInteraction": "REQUIRED", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:H/I:H/A:N", "version": "3.1"}}], "references": [{"name": "https://github.com/aces/Loris/security/advisories/GHSA-j2p3-58m2-v6q3", "tags": ["x_refsource_CONFIRM"], "url": "https://github.com/aces/Loris/security/advisories/GHSA-j2p3-58m2-v6q3"}], "affected": [{"vendor": "aces", "product": "Loris", "versions": [{"version": ">= , < 27.0.3", "status": "affected"}, {"version": ">= 28.0.0, < 28.0.1", "status": "affected"}]}], "providerMetadata": {"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "shortName": "GitHub_M", "dateUpdated": "2026-04-08T18:24:27.757Z"}, "descriptions": [{"lang": "en", "value": "LORIS (Longitudinal Online Research and Imaging System) is a self-hosted web application that provides data- and project-management for neuroimaging research. From to before 27.0.3 and 28.0.1, the help_editor module of LORIS did not properly sanitize some user supplied variables which could result in a reflected cross-site scripting attack if a user is tricked into following an invalid link. The same input vector could also allow an attacker to download arbitrary markdown files on an unpatched server. This vulnerability is fixed in 27.0.3 and 28.0.1."}], "source": {"advisory": "GHSA-j2p3-58m2-v6q3", "discovery": "UNKNOWN"}}, "adp": [{"metrics": [{"other": {"type": "ssvc", "content": {"timestamp": "2026-04-09T14:21:10.582635Z", "id": "CVE-2026-35169", "options": [{"Exploitation": "none"}, {"Automatable": "no"}, {"Technical Impact": "total"}], "role": "CISA Coordinator", "version": "2.0.3"}}}], "title": "CISA ADP Vulnrichment", "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2026-04-09T14:21:17.788Z"}}]}}

{"dataType": "CVE_RECORD", "containers": {"adp": [{"title": "CISA ADP Vulnrichment", "metrics": [{"other": {"type": "ssvc", "content": {"id": "CVE-2026-35169", "role": "CISA Coordinator", "options": [{"Exploitation": "none"}, {"Automatable": "no"}, {"Technical Impact": "total"}], "version": "2.0.3", "timestamp": "2026-04-09T14:21:10.582635Z"}}}], "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2026-04-09T14:21:14.175Z"}}], "cna": {"title": "LORIS has potential cross-site scripting in help_editor module", "source": {"advisory": "GHSA-j2p3-58m2-v6q3", "discovery": "UNKNOWN"}, "metrics": [{"cvssV3_1": {"scope": "CHANGED", "version": "3.1", "baseScore": 8.7, "attackVector": "NETWORK", "baseSeverity": "HIGH", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:H/I:H/A:N", "integrityImpact": "HIGH", "userInteraction": "REQUIRED", "attackComplexity": "LOW", "availabilityImpact": "NONE", "privilegesRequired": "LOW", "confidentialityImpact": "HIGH"}}], "affected": [{"vendor": "aces", "product": "Loris", "versions": [{"status": "affected", "version": ">= , < 27.0.3"}, {"status": "affected", "version": ">= 28.0.0, < 28.0.1"}]}], "references": [{"url": "https://github.com/aces/Loris/security/advisories/GHSA-j2p3-58m2-v6q3", "name": "https://github.com/aces/Loris/security/advisories/GHSA-j2p3-58m2-v6q3", "tags": ["x_refsource_CONFIRM"]}], "descriptions": [{"lang": "en", "value": "LORIS (Longitudinal Online Research and Imaging System) is a self-hosted web application that provides data- and project-management for neuroimaging research. From to before 27.0.3 and 28.0.1, the help_editor module of LORIS did not properly sanitize some user supplied variables which could result in a reflected cross-site scripting attack if a user is tricked into following an invalid link. The same input vector could also allow an attacker to download arbitrary markdown files on an unpatched server. This vulnerability is fixed in 27.0.3 and 28.0.1."}], "problemTypes": [{"descriptions": [{"lang": "en", "type": "CWE", "cweId": "CWE-79", "description": "CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')"}]}, {"descriptions": [{"lang": "en", "type": "CWE", "cweId": "CWE-552", "description": "CWE-552: Files or Directories Accessible to External Parties"}]}], "providerMetadata": {"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "shortName": "GitHub_M", "dateUpdated": "2026-04-08T18:24:27.757Z"}}}, "cveMetadata": {"cveId": "CVE-2026-35169", "state": "PUBLISHED", "dateUpdated": "2026-04-09T14:21:17.788Z", "dateReserved": "2026-04-01T17:26:21.133Z", "assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "datePublished": "2026-04-08T18:24:27.757Z", "assignerShortName": "GitHub_M"}, "dataVersion": "5.2"}

{"configurations": [{"nodes": [{"cpeMatch": [{"criteria": "cpe:2.3:a:mcgill:loris:*:*:*:*:*:*:*:*", "matchCriteriaId": "4AEE921E-77AD-44F9-AC03-DCD447CF3897", "versionEndIncluding": "27.0.2", "versionStartIncluding": "15.10", "vulnerable": true}, {"criteria": "cpe:2.3:a:mcgill:loris:28.0.0:*:*:*:*:*:*:*", "matchCriteriaId": "D358B66A-04AC-44F2-8EF6-4332D8AC00F4", "vulnerable": true}], "negate": false, "operator": "OR"}]}], "cveTags": [], "descriptions": [{"lang": "en", "value": "LORIS (Longitudinal Online Research and Imaging System) is a self-hosted web application that provides data- and project-management for neuroimaging research. From to before 27.0.3 and 28.0.1, the help_editor module of LORIS did not properly sanitize some user supplied variables which could result in a reflected cross-site scripting attack if a user is tricked into following an invalid link. The same input vector could also allow an attacker to download arbitrary markdown files on an unpatched server. This vulnerability is fixed in 27.0.3 and 28.0.1."}], "id": "CVE-2026-35169", "lastModified": "2026-04-21T20:16:53.940", "metrics": {"cvssMetricV31": [{"cvssData": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "NONE", "baseScore": 8.7, "baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "LOW", "scope": "CHANGED", "userInteraction": "REQUIRED", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:H/I:H/A:N", "version": "3.1"}, "exploitabilityScore": 2.3, "impactScore": 5.8, "source": "security-advisories@github.com", "type": "Secondary"}, {"cvssData": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "NONE", "baseScore": 5.4, "baseSeverity": "MEDIUM", "confidentialityImpact": "LOW", "integrityImpact": "LOW", "privilegesRequired": "LOW", "scope": "CHANGED", "userInteraction": "REQUIRED", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N", "version": "3.1"}, "exploitabilityScore": 2.3, "impactScore": 2.7, "source": "nvd@nist.gov", "type": "Primary"}]}, "published": "2026-04-08T19:25:23.447", "references": [{"source": "security-advisories@github.com", "tags": ["Vendor Advisory"], "url": "https://github.com/aces/Loris/security/advisories/GHSA-j2p3-58m2-v6q3"}], "sourceIdentifier": "security-advisories@github.com", "vulnStatus": "Analyzed", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-79"}, {"lang": "en", "value": "CWE-552"}], "source": "security-advisories@github.com", "type": "Primary"}, {"description": [{"lang": "en", "value": "CWE-79"}], "source": "nvd@nist.gov", "type": "Primary"}]}

{}

{"affected": [{"configurations": [{"platform": null, "status": "affected", "versions": {"scheme": "semver", "value": "[0,27.0.3)"}}, {"platform": null, "status": "affected", "versions": {"scheme": "semver", "value": "[28.0.0,28.0.1)"}}], "enrichment": {"confidence": 100.0, "confidence_source": "matching", "scores": [{"score": 100.0, "source": "matching"}]}, "original": {"product": "Loris", "source": "cna", "vendor": "aces"}, "product": "loris", "vendor": "aces"}], "analysis": {"en": {"generated_at": "2026-04-08T21:06:01.761011+00:00", "value": {"mitigation_remediation": ["Upgrade Loris to version 27.0.3 or later in the 27 series, or to 28.0.1 or later in the 28 series, to apply the sanitization fix.", "If an upgrade cannot be performed immediately, restrict access to the help_editor module to trusted internal users and block the endpoint from public or untrusted networks.", "Disable or remove the markdown download capability for unpatched instances until a patch is applied.", "Monitor logs for suspicious access to the help_editor endpoint and block offending IP addresses.", "Configure a web application firewall to detect and block reflected XSS payloads targeting the help_editor module."], "summary": {"action": "Immediate Patch", "impact": "Cross\u2011Site Scripting and Arbitrary File Download"}, "threat_synthesis": {"affected_systems": "The issue affects installations of Loris running versions older than 27.0.3 or 28.0.1. The vendor \"aces\" has released patch versions that include the sanitization fix. No explicit deployment environment is documented, but the application is typically self\u2011hosted.", "description_and_impact": "The vulnerability exists in the help_editor module of Loris, a self\u2011hosted web application for neuroimaging research. Versions before 27.0.3 (in the 27 series) and before 28.0.1 (in the 28 series) fail to sanitize certain user\u2011supplied variables. This flaw allows a reflected cross\u2011site scripting (XSS) attack if a user follows a maliciously crafted link. The same input path also lets an attacker download arbitrary markdown files from an unpatched server.", "risk_and_exploitability": "The CVSS score of 8.7 indicates a high\u2011severity flaw that is potentially exploitable via a web\u2011based request to the help_editor endpoint. The EPSS score is not available and the vulnerability is not listed in the CISA KEV catalog. Exploitation requires the victim to be a legitimate Loris user who clicks a crafted URL; the attacker can then execute arbitrary JavaScript in the victim\u2019s browser and obtain markdown files, compromising confidentiality and enabling further exploitation of the hosting environment."}}}}, "created": "2026-04-09T08:18:27.042467+00:00", "updated": "2026-04-09T08:27:49.390102+00:00", "vendors": ["aces", "aces$PRODUCT$loris"]}