Email Forgery Vulnerability in LORIS Web Application by ACES
CVE-2026-35400

3.5LOW

Key Information:

Vendor: Aces
Status: Loris
Vendor: CVE Published:; 8 April 2026

What is CVE-2026-35400?

The LORIS web application suffers from an email forgery vulnerability due to improper validation of the baseURL in the publication module. This flaw allows a malicious actor, who has access to the publication module, to manipulate outgoing emails to make them appear as if they originate from the LORIS application. This could mislead recipients by appearing as genuine communications from LORIS, potentially compromising sensitive information. The issue affects versions 20.0.0 to before 27.0.3 and 28.0.1, and it has been addressed in subsequent releases.

Affected Version(s)

Loris >= 20.0.0, < 27.0.3 < 20.0.0, 27.0.3

Loris >= 28.0.0, < 28.0.1 < 28.0.0, 28.0.1

References

https://github.com/aces/Loris/security/advisories/GHSA-6p...

x_refsource_CONFIRM

CVSS V3.1

Score:

3.5

Severity:

LOW

Confidentiality:

None

Integrity:

Low

Availability:

None

Attack Vector:

Network

Attack Complexity:

Low

Privileges Required:

Low

User Interaction:

Required

Scope:

Unchanged

Download the Critical Vulnerability Management Cheat Sheet

Timeline

Vulnerability published
Apr 8, 2026
Vulnerability Reserved
Apr 2, 2026

CVE-2026-35400 Data

JSON

Aces

What is CVE-2026-35400?

Affected Version(s)

References

CVSS V3.1

Timeline