Platform
php
Component
loris
Opgelost in
20.0.1
28.0.1
CVE-2026-35400 affects LORIS, a self-hosted web application for neuroimaging research. This vulnerability allows an attacker with publication module access to forge emails, making them appear to originate from the LORIS system. The vulnerability impacts versions 20.0.0 through 28.0.0 (excluding 27.0.3 and 28.0.1). A fix is available in versions 27.0.3 and 28.0.1.
The primary impact of CVE-2026-35400 is the potential for email spoofing. An attacker who has access to the publication module within LORIS can manipulate the baseURL parameter in a POST request to specify an arbitrary external domain. This allows them to craft emails that appear to be sent by LORIS, but are actually originating from the attacker's controlled domain. While the vulnerability is rated LOW severity, successful exploitation could damage the reputation of the research institution using LORIS, lead to phishing attacks targeting researchers, or be used to distribute malicious content under the guise of official LORIS communications. The attacker needs existing publication module access to exploit this, limiting the immediate blast radius.
CVE-2026-35400 is not currently listed on the CISA KEV catalog. Public proof-of-concept exploits are not currently available, suggesting a low probability of immediate widespread exploitation. The vulnerability was disclosed publicly on 2026-04-08. The LOW CVSS score reflects the requirement for existing publication module access, limiting the potential attack surface.
Research institutions and laboratories utilizing LORIS for neuroimaging data management are at risk. Specifically, organizations with multiple users having access to the publication module, or those running older, unpatched versions of LORIS, are particularly vulnerable. Shared hosting environments where multiple LORIS instances are deployed on the same server could also increase the risk of lateral movement if one instance is compromised.
• php: Examine LORIS application logs for suspicious POST requests to the publication module containing unusual or external baseURL values. Use grep to search for patterns like POST /publication_module.php ... baseURL=attacker.com ...
• generic web: Monitor email logs for emails originating from the LORIS server but with sender addresses or domains that are not associated with the legitimate LORIS infrastructure.
disclosure
Exploit Status
EPSS
0.03% (8% percentiel)
CISA SSVC
CVSS-vector
The primary mitigation for CVE-2026-35400 is to upgrade LORIS to version 27.0.3 or 28.0.1. These versions contain a fix that properly validates the baseURL parameter, preventing the email spoofing vulnerability. If upgrading is not immediately feasible, consider implementing stricter access controls for the publication module to limit the number of users who can potentially exploit the vulnerability. While a direct WAF rule is difficult to implement due to the POST parameter manipulation, monitoring for unusual email sending patterns originating from the LORIS server could provide an early warning sign of potential exploitation. After upgrading, confirm the fix by attempting to submit a publication request with a malicious baseURL and verifying that the request is rejected.
Actualice LORIS a la versión 27.0.3 o superior, o a la versión 28.0.1 o superior. Esta actualización corrige la forma en que se maneja la baseURL en el módulo de publicación, evitando que un atacante pueda falsificar correos electrónicos.
Kwetsbaarheidsanalyses en kritieke waarschuwingen direct in uw inbox.
CVE-2026-35400 is a LOW severity vulnerability in LORIS versions 20.0.0 through 28.0.0 that allows an attacker with publication module access to forge emails appearing to come from the LORIS system.
You are affected if you are running LORIS versions 20.0.0 through 28.0.0 (excluding 27.0.3 and 28.0.1) and have users with access to the publication module.
Upgrade LORIS to version 27.0.3 or 28.0.1 to remediate the vulnerability. If immediate upgrade is not possible, restrict access to the publication module.
There are currently no public reports or confirmed instances of CVE-2026-35400 being actively exploited.
Refer to the official LORIS documentation and security advisories on the LORIS project website for the latest information.
Upload je dependency-bestand en kom direct te weten of deze en andere CVEs jou raken.