Platform
php
Component
loris
Fixed in
20.0.1
28.0.1
CVE-2026-35400 affects LORIS, a self-hosted web application for neuroimaging research. This vulnerability allows an attacker with publication module access to forge emails, making them appear to originate from the LORIS system. The vulnerability impacts versions 20.0.0 through 28.0.0 (excluding 27.0.3 and 28.0.1). A fix is available in versions 27.0.3 and 28.0.1.
The primary impact of CVE-2026-35400 is the potential for email spoofing. An attacker who has access to the publication module within LORIS can manipulate the baseURL parameter in a POST request to specify an arbitrary external domain. This allows them to craft emails that appear to be sent by LORIS, but are actually originating from the attacker's controlled domain. While the vulnerability is rated LOW severity, successful exploitation could damage the reputation of the research institution using LORIS, lead to phishing attacks targeting researchers, or be used to distribute malicious content under the guise of official LORIS communications. The attacker needs existing publication module access to exploit this, limiting the immediate blast radius.
CVE-2026-35400 is not currently listed on the CISA KEV catalog. Public proof-of-concept exploits are not currently available, suggesting a low probability of immediate widespread exploitation. The vulnerability was disclosed publicly on 2026-04-08. The LOW CVSS score reflects the requirement for existing publication module access, limiting the potential attack surface.
Exploit Status
EPSS
0.03% (8% percentile)
CISA SSVC
CVSS Vector
The primary mitigation for CVE-2026-35400 is to upgrade LORIS to version 27.0.3 or 28.0.1. These versions contain a fix that properly validates the baseURL parameter, preventing the email spoofing vulnerability. If upgrading is not immediately feasible, consider implementing stricter access controls for the publication module to limit the number of users who can potentially exploit the vulnerability. While a direct WAF rule is difficult to implement due to the POST parameter manipulation, monitoring for unusual email sending patterns originating from the LORIS server could provide an early warning sign of potential exploitation. After upgrading, confirm the fix by attempting to submit a publication request with a malicious baseURL and verifying that the request is rejected.
Update LORIS to version 27.0.3 or higher, or to version 28.0.1 or higher. This update corrects how the baseURL is handled in the publication module, preventing an attacker from forging emails.
Vulnerability analysis and critical alerts directly to your inbox.
CVE-2026-35400 is a LOW severity vulnerability in LORIS versions 20.0.0 through 28.0.0 that allows an attacker with publication module access to forge emails appearing to come from the LORIS system.
You are affected if you are running LORIS versions 20.0.0 through 28.0.0 (excluding 27.0.3 and 28.0.1) and have users with access to the publication module.
Upgrade LORIS to version 27.0.3 or 28.0.1 to remediate the vulnerability. If immediate upgrade is not possible, restrict access to the publication module.
There are currently no public reports or confirmed instances of CVE-2026-35400 being actively exploited.
Refer to the official LORIS documentation and security advisories on the LORIS project website for the latest information.
Upload your dependency file and we'll tell you instantly if this and other CVEs hit you.