CVE-2026-35400

Source
https://cve.org/CVERecord?id=CVE-2026-35400
Import Source
https://storage.googleapis.com/cve-osv-conversion/osv-output/CVE-2026-35400.json
JSON Data
https://api.osv.dev/v1/vulns/CVE-2026-35400
Aliases
  • GHSA-6prw-34x8-3gpg
Published
2026-04-08T18:26:09.890Z
Modified
2026-07-08T07:32:35.931194095Z
Severity
  • 3.5 (Low) CVSS_V3 - CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:U/C:N/I:L/A:N CVSS Calculator
Summary
LORIS incorrectly trusts user input in publication module
Details

LORIS (Longitudinal Online Research and Imaging System) is a self-hosted web application that provides data- and project-management for neuroimaging research. From 20.0.0 to before 27.0.3 and 28.0.1, an endpoint in the publication module was incorrectly trusting the baseURL submitted by a user's POST request rather than the internal LORIS value. This could result in a theoretical attacker with publication module access forging an email to an external domain under the attacker's control which appeared to come from LORIS. This vulnerability is fixed in 27.0.3 and 28.0.1.

Database specific
{
    "cna_assigner": "GitHub_M",
    "cwe_ids": [
        "CWE-59"
    ],
    "osv_generated_from": "https://github.com/CVEProject/cvelistV5/tree/main/cves/2026/35xxx/CVE-2026-35400.json"
}
References

Affected packages

Git / github.com/aces/loris

Affected ranges

Type
GIT
Repo
https://github.com/aces/loris
Events
Database specific
{
    "extracted_events": [
        {
            "introduced": "20.0.0"
        },
        {
            "fixed": "27.0.3"
        },
        {
            "introduced": "28.0.0"
        },
        {
            "fixed": "28.0.1"
        }
    ],
    "source": "AFFECTED_FIELD"
}

Affected versions

28.*
28.0.0
v28.*
v28.0.0

Database specific

source
"https://storage.googleapis.com/cve-osv-conversion/osv-output/CVE-2026-35400.json"