Home / Vulnerability Intelligence / CVE-2026-35169

CVE-2026-35169 - Vulnerability Analysis

HighCVSS: 8.7

Last Updated: April 8, 2026

LORIS - Reflected XSS

Published: April 8, 2026Updated: April 8, 2026Remote Exploitable

Overview

LORIS < 27.0.3 and < 28.0.1 contains a reflected cross-site scripting caused by improper sanitization of user-supplied variables in the help_editor module, letting attackers execute scripts or download arbitrary markdown files, exploit requires user to follow a crafted link.

Severity & Score

Severity: High

CVSS Score: 8.7

EPSS Score: 3.2%(Probability of exploitation in next 30 days)

Impact

Attackers can execute scripts in users' browsers or download arbitrary markdown files, potentially leading to data exposure or session compromise.

Mitigation

Update to version 27.0.3 or 28.0.1.

References

https://github.com/aces/Loris/security/advisories/GHSA-j2p3-58m2-v6q3

Social Media Activity(1 post)

TheHackerWire

@thehackerwire

Apr 9, 2026

🟠 CVE-2026-35169 - High (8.7) LORIS (Longitudinal Online Research and Imaging System) is a self-hosted web application that provides data- and project-management for neuroimaging research. From to before 27.0.3 and 28.0.1, the help_editor module of LORIS did not properly sani... 🔗 https://www.thehackerwire.com/vulnerability/CVE-2026-35169/ #CVE #vulnerability #infosec #cybersecurity #security #Tenda #patchstack

View original post

Related Resources

Details

CVE ID: CVE-2026-35169
Severity: High
CVSS Score: 8.7
Type: reflected_xss
Status: unconfirmed
EPSS: 3.2%
Social Posts: 1

CWE

CWE-79

CVSS Metrics

CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:H/I:H/A:N

EPSS Score

3.2%Probability of exploitation in the next 30 days