MEDIUMCVE-2026-35403CVSS 6.5

CVE-2026-35403: XSS in LORIS Neuroimaging Research System

Q: What is CVE-2026-35403 — XSS in LORIS?

CVE-2026-35403 is a cross-site scripting (XSS) vulnerability in LORIS, a neuroimaging research system, allowing attackers to inject malicious scripts via a crafted visit label.

Q: Am I affected by CVE-2026-35403 in LORIS?

You are affected if you are running LORIS versions 15.10–>= 28.0.0, < 28.0.1. Upgrade to mitigate the risk.

Q: How do I fix CVE-2026-35403 in LORIS?

Upgrade LORIS to version 27.0.3 or later. Consider input validation and Content Security Policy (CSP) as temporary workarounds.

Q: Is CVE-2026-35403 being actively exploited?

Active exploitation is not currently confirmed, but the vulnerability is publicly known and could be targeted.

Q: Where can I find the official LORIS advisory for CVE-2026-35403?

Refer to the official LORIS security advisories on their website or GitHub repository for the latest information.

Platform

php

Component

loris

Fixed in

15.10.1

28.0.1

AI Confidence: highNVDEPSS 0.0%Reviewed: May 2026

View on NVD

Save

CVE-2026-35403 describes a cross-site scripting (XSS) vulnerability discovered in LORIS, a self-hosted web application for neuroimaging research. This flaw allows attackers to inject malicious scripts if a user is tricked into following a specially crafted link containing an invalid visit label. The vulnerability impacts LORIS versions 15.10 through 28.0.0 (excluding 28.0.1) and has been resolved in version 27.0.3.

Impact and Attack Scenarios

Successful exploitation of CVE-2026-35403 allows an attacker to execute arbitrary JavaScript code within the context of a victim's browser session on the LORIS system. This can lead to the theft of sensitive user data, including credentials, research data, and potentially access to other connected systems. An attacker could also deface the LORIS interface or redirect users to malicious websites. The impact is amplified if LORIS is used to manage sensitive research data or if it integrates with other critical systems, potentially enabling lateral movement within the research network.

Exploitation Context

CVE-2026-35403 was publicly disclosed on April 8, 2026. No public proof-of-concept (PoC) code has been released at the time of writing. The vulnerability's severity is assessed as Medium. It is not currently listed on the CISA KEV catalog. Active exploitation is not confirmed, but the availability of the vulnerability details could lead to future exploitation attempts.

Threat Intelligence

Exploit Status

Proof of ConceptUnknown

CISA KEVNO

Internet ExposureHigh

Reports1 threat report

EPSS

0.03% (9% percentile)

CISA SSVC

Exploitationnone

Automatableno

Technical Impact

Affected Software

Componentloris

Vendoraces

Affected rangeFixed in

>= 15.10, < 27.0.3 – >= 15.10, < 27.0.315.10.1

>= 28.0.0, < 28.0.1 – >= 28.0.0, < 28.0.128.0.1

Weakness Classification (CWE)

CWE-79

Timeline

Reserved2026-04-02
Published2026-04-08
Modified2026-04-10
EPSS updated2026-04-16

Mitigation and Workarounds

The primary mitigation for CVE-2026-35403 is to upgrade LORIS to version 27.0.3 or later. If immediate upgrading is not possible, consider implementing input validation on the visit label field to sanitize user-provided data. While a direct workaround is not available, implementing a Content Security Policy (CSP) can help mitigate the impact of XSS attacks by restricting the sources from which scripts can be executed. Regularly review LORIS configuration and ensure that all security best practices are followed.

How to fix

Update the survey_accounts module to version 27.0.3 or higher, or to version 28.0.1. This update fixes the XSS vulnerability by ensuring that the Content-Type header is set correctly, preventing the browser from interpreting the payload as HTML.

CVE Security Newsletter

Vulnerability analysis and critical alerts directly to your inbox.

Frequently asked questions

What is CVE-2026-35403 — XSS in LORIS?