Cyber Resilience

CVE-2026-35400

Low

Published: 08 April 2026

Published
08 April 2026
Modified
21 April 2026
KEV Added
Patch
CVSS Score v3.1 3.5 CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:U/C:N/I:L/A:N
EPSS Score 0.0020 10.1th percentile
Risk Priority 15 floored blend · peak EPSS

Summary

CVE-2026-35400 is a low-severity Link Following (CWE-59) vulnerability in Mcgill Loris. Its CVSS base score is 3.5 (Low).

Operationally, exploitation aligns with the MITRE ATT&CK technique Email Spoofing (T1684.002); ranked at the 10.1th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog.

OWASP Top 10 for Web (2025)

EU & UK References

Vulnerability details

LORIS (Longitudinal Online Research and Imaging System) is a self-hosted web application that provides data- and project-management for neuroimaging research. From 20.0.0 to before 27.0.3 and 28.0.1, an endpoint in the publication module was incorrectly trusting the baseURL submitted by…

more

a user's POST request rather than the internal LORIS value. This could result in a theoretical attacker with publication module access forging an email to an external domain under the attacker's control which appeared to come from LORIS. This vulnerability is fixed in 27.0.3 and 28.0.1.

CWE(s)

Related Threats

MITRE ATT&CK Enterprise TechniquesAI

T1684.002 Email Spoofing Stealth
Adversaries may fake, or spoof, a sender’s identity by modifying the value of relevant email headers in order to establish contact with victims under false pretenses.
Why these techniques?

Vulnerability directly enables forging emails that appear to originate from LORIS by abusing untrusted baseURL in publication module.

Confidence: HIGH · MITRE ATT&CK Enterprise v19.0

Affected Assets

mcgill
loris
28.0.0 · 20.0.0 — 27.0.2

Mitigating Controls

No mitigating controls mapped yet. The per-CVE control annotator has not reached this CVE.

References