Plattform
php
Komponente
loris
Behoben in
27.0.4
28.0.1
CVE-2026-35169 describes a reflected Cross-Site Scripting (XSS) vulnerability within the help_editor module of LORIS, a self-hosted web application for neuroimaging research. This flaw allows attackers to inject malicious scripts or download arbitrary markdown files if a user is tricked into clicking a crafted link. The vulnerability impacts LORIS versions 27.0.0 through 28.0.0, excluding 28.0.1, and is resolved in version 27.0.3 and 28.0.1.
Successful exploitation of CVE-2026-35169 allows an attacker to execute arbitrary JavaScript code within the context of a user's browser session on the LORIS system. This could lead to session hijacking, data theft (including sensitive research data), or defacement of the LORIS interface. The ability to download arbitrary markdown files expands the attack surface, potentially enabling attackers to exfiltrate configuration files or other sensitive data stored on the server. The impact is particularly concerning given LORIS's use in neuroimaging research, where data privacy and integrity are paramount.
CVE-2026-35169 was publicly disclosed on 2026-04-08. No public proof-of-concept (PoC) code has been released as of this writing. The vulnerability is not currently listed on CISA KEV. Exploitation would likely require social engineering to trick a user into clicking a malicious link, making it a relatively low-probability attack vector unless the attacker can compromise a user's account.
Research institutions and laboratories utilizing LORIS to manage neuroimaging data are at significant risk. Organizations with legacy LORIS deployments or those that have not implemented robust input validation practices are particularly vulnerable. Shared hosting environments where multiple LORIS instances reside on the same server could also be affected, as a successful attack on one instance could potentially compromise others.
• php: Examine LORIS application logs for suspicious requests containing <script> tags or other XSS payloads within the help_editor module.
grep -i '<script' /var/log/loris/application.log• generic web: Use curl to test for XSS by injecting a simple payload into a parameter handled by the help_editor module and observing the response for script execution.
curl 'http://loris-server/help_editor?input=<script>alert(1)</script>' • generic web: Check access logs for unusual user agent strings or referral URLs associated with requests to the help_editor module.
disclosure
patch
Exploit-Status
EPSS
0.03% (9% Perzentil)
CISA SSVC
CVSS-Vektor
The primary mitigation for CVE-2026-35169 is to immediately upgrade LORIS to version 27.0.3 or 28.0.1. If upgrading is not immediately feasible, consider implementing strict input validation and output encoding on the helpeditor module to sanitize user-supplied variables. Web Application Firewalls (WAFs) configured to detect and block reflected XSS attacks can provide an additional layer of defense. Review LORIS access controls to limit who can access the helpeditor functionality. After upgrading, confirm the vulnerability is resolved by attempting to trigger the XSS payload via a crafted URL; the payload should be neutralized.
Actualice el módulo LORIS a la versión 27.0.3 o superior, o a la versión 28.0.1 o superior. Estas versiones corrigen la vulnerabilidad de XSS y la posibilidad de descarga de archivos markdown arbitrarios al no sanitizar correctamente las entradas del usuario.
Schwachstellenanalysen und kritische Warnungen direkt in deinen Posteingang.
CVE-2026-35169 is a reflected Cross-Site Scripting (XSS) vulnerability in LORIS, allowing attackers to inject malicious scripts or download arbitrary markdown files.
You are affected if you are running LORIS versions 27.0.0 through 28.0.0, excluding 28.0.1.
Upgrade LORIS to version 27.0.3 or 28.0.1. Consider WAF rules as a temporary mitigation.
Active exploitation is not currently confirmed, but the vulnerability's ease of exploitation warrants proactive mitigation.
Refer to the LORIS project's official website and security advisories for the latest information: [https://www.loris.dbmi.washington.edu/](https://www.loris.dbmi.washington.edu/)
Lade deine Abhängigkeitsdatei hoch und erfahre sofort, ob dich diese und andere CVEs treffen.