CVE-2026-35169
Published: 08 April 2026
Summary
CVE-2026-35169 is a high-severity Cross-site Scripting (CWE-79) vulnerability in Mcgill Loris. Its CVSS base score is 8.7 (High).
Operationally, exploitation aligns with the MITRE ATT&CK technique Spearphishing Link (T1566.002); ranked at the 11.2th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog.
The strongest mitigations our analysis identified are NIST 800-53 SI-10 (Information Input Validation) and SI-15 (Information Output Filtering).
Threat & Defense at a Glance
Threat & Defense Details
Mitigating Controls (NIST 800-53 r5)AI
SI-2 ensures timely flaw remediation through patching, directly addressing the improper sanitization vulnerability fixed in LORIS versions 27.0.3 and 28.0.1.
SI-10 requires validation of user-supplied inputs, preventing both reflected XSS and arbitrary markdown file downloads due to unsanitized variables in the help_editor module.
SI-15 mandates output filtering to web pages, directly mitigating the reflected XSS attack by blocking execution of malicious JavaScript from unsanitized inputs.
MITRE ATT&CK Enterprise TechniquesAI
Why these techniques?
Reflected XSS via malicious links enables spearphishing (T1566.002), arbitrary JavaScript execution (T1059.007), keylogging (T1056.001), and web session cookie theft (T1539); arbitrary markdown file downloads enable local data collection (T1005).
NVD Description
LORIS (Longitudinal Online Research and Imaging System) is a self-hosted web application that provides data- and project-management for neuroimaging research. From to before 27.0.3 and 28.0.1, the help_editor module of LORIS did not properly sanitize some user supplied variables which…
more
could result in a reflected cross-site scripting attack if a user is tricked into following an invalid link. The same input vector could also allow an attacker to download arbitrary markdown files on an unpatched server. This vulnerability is fixed in 27.0.3 and 28.0.1.
Deeper analysisAI
CVE-2026-35169 is a vulnerability in the help_editor module of LORIS, a self-hosted web application used for data and project management in neuroimaging research. The issue stems from improper sanitization of user-supplied variables in affected versions prior to 27.0.3 and 28.0.1, enabling a reflected cross-site scripting (XSS) attack (CWE-79) and arbitrary markdown file downloads (CWE-552). It has a CVSS v3.1 base score of 8.7 (AV:N/AC:L/PR:L/UI:R/S:C/C:H/I:H/A:N), indicating high severity due to network accessibility, low attack complexity, and significant impacts on confidentiality and integrity.
An attacker with low privileges (PR:L), such as an authenticated user, can exploit this by crafting a malicious link that tricks a victim into interacting with it (UI:R), such as clicking or submitting input. Successful exploitation leads to reflected XSS, allowing execution of arbitrary JavaScript in the victim's browser with elevated scope (S:C), potentially stealing session cookies, keystrokes, or other sensitive data. The same input vector also permits downloading arbitrary markdown files from the server, exposing potentially confidential research data or configurations.
The GitHub security advisory (GHSA-j2p3-58m2-v6q3) confirms the vulnerability is fixed in LORIS versions 27.0.3 and 28.0.1 through improved input sanitization in the help_editor module. Security practitioners should urge users of affected LORIS installations to upgrade immediately and review access controls to the help_editor module, as it requires low privileges for exploitation.
Details
- CWE(s)