Cross-Site Scripting Vulnerability in LORIS Web Application
CVE-2026-35403

6.5MEDIUM

Key Information:

Vendor: Aces
Status: Loris
Vendor: CVE Published:; 8 April 2026

What is CVE-2026-35403?

The LORIS web application, designed for managing neuroimaging research data, is susceptible to a cross-site scripting attack via the survey_accounts module when an invalid visit label is supplied. Although the data is JSON encoded correctly, the absence of a Content-Type header leads the web browser to treat the input as HTML. This flaw could allow an attacker to exploit it by tricking users into clicking malicious links, thereby executing arbitrary scripts in the context of the user's session. The vulnerability has been addressed in LORIS versions 27.0.3 and 28.0.1.

Affected Version(s)

Loris >= 15.10, < 27.0.3 < 15.10, 27.0.3

Loris >= 28.0.0, < 28.0.1 < 28.0.0, 28.0.1

References

https://github.com/aces/Loris/security/advisories/GHSA-77...

x_refsource_CONFIRM

CVSS V3.1

Score:

6.5

Severity:

MEDIUM

Confidentiality:

High

Integrity:

Low

Availability:

High

Attack Vector:

Network

Attack Complexity:

High

Privileges Required:

Low

User Interaction:

Required

Scope:

Changed

Download the Critical Vulnerability Management Cheat Sheet

Timeline

Vulnerability published
Apr 8, 2026
Vulnerability Reserved
Apr 2, 2026

CVE-2026-35403 Data

JSON

Aces

What is CVE-2026-35403?

Affected Version(s)

References

CVSS V3.1

Timeline