CVE-2026-35169: CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') in aces Loris
CVE-2026-35169 is a high-severity vulnerability in the aces LORIS web application affecting versions before 27. 0. 3 and between 28. 0. 0 and 28. 0. 1. The help_editor module did not properly sanitize certain user-supplied input, leading to a reflected cross-site scripting (XSS) vulnerability. This flaw could allow an attacker to execute arbitrary scripts if a user is tricked into following a malicious link. Additionally, the same input vector could enable an attacker to download arbitrary markdown files from an unpatched server.
AI Analysis
Technical Summary
LORIS is a self-hosted web application for neuroimaging research data management. Versions prior to 27.0.3 and between 28.0.0 and 28.0.1 contain a reflected XSS vulnerability in the help_editor module due to improper sanitization of user input. This vulnerability allows attackers to execute arbitrary scripts in the context of a victim's browser when the victim follows a crafted link. Furthermore, the same input flaw can be exploited to download arbitrary markdown files from the server. The issue is addressed in versions 27.0.3 and 28.0.1 of LORIS.
Potential Impact
Successful exploitation can lead to high impact including execution of arbitrary scripts in the victim's browser, potentially resulting in credential theft, session hijacking, or other malicious actions. Additionally, unauthorized download of markdown files could lead to information disclosure. There is no indication of denial of service or system-level compromise. No known exploits have been reported in the wild.
Mitigation Recommendations
This vulnerability is fixed in LORIS versions 27.0.3 and 28.0.1. Users should upgrade to these or later versions to remediate the issue. Patch status is not explicitly confirmed by a vendor advisory in the provided data, but the description states the issue is fixed in these versions. No additional mitigation steps are indicated.
CVE-2026-35169: CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') in aces Loris
Description
CVE-2026-35169 is a high-severity vulnerability in the aces LORIS web application affecting versions before 27. 0. 3 and between 28. 0. 0 and 28. 0. 1. The help_editor module did not properly sanitize certain user-supplied input, leading to a reflected cross-site scripting (XSS) vulnerability. This flaw could allow an attacker to execute arbitrary scripts if a user is tricked into following a malicious link. Additionally, the same input vector could enable an attacker to download arbitrary markdown files from an unpatched server.
AI-Powered Analysis
Machine-generated threat intelligence
Technical Analysis
LORIS is a self-hosted web application for neuroimaging research data management. Versions prior to 27.0.3 and between 28.0.0 and 28.0.1 contain a reflected XSS vulnerability in the help_editor module due to improper sanitization of user input. This vulnerability allows attackers to execute arbitrary scripts in the context of a victim's browser when the victim follows a crafted link. Furthermore, the same input flaw can be exploited to download arbitrary markdown files from the server. The issue is addressed in versions 27.0.3 and 28.0.1 of LORIS.
Potential Impact
Successful exploitation can lead to high impact including execution of arbitrary scripts in the victim's browser, potentially resulting in credential theft, session hijacking, or other malicious actions. Additionally, unauthorized download of markdown files could lead to information disclosure. There is no indication of denial of service or system-level compromise. No known exploits have been reported in the wild.
Mitigation Recommendations
This vulnerability is fixed in LORIS versions 27.0.3 and 28.0.1. Users should upgrade to these or later versions to remediate the issue. Patch status is not explicitly confirmed by a vendor advisory in the provided data, but the description states the issue is fixed in these versions. No additional mitigation steps are indicated.
Technical Details
- Data Version
- 5.2
- Assigner Short Name
- GitHub_M
- Date Reserved
- 2026-04-01T17:26:21.133Z
- Cvss Version
- 3.1
- State
- PUBLISHED
- Remediation Level
- null
Threat ID: 69d736f91cc7ad14da418a5a
Added to database: 4/9/2026, 5:19:53 AM
Last enriched: 4/16/2026, 12:20:37 PM
Last updated: 5/25/2026, 7:17:11 AM
Views: 45
Community Reviews
0 reviewsCrowdsource mitigation strategies, share intel context, and vote on the most helpful responses. Sign in to add your voice and help keep defenders ahead.
Want to contribute mitigation steps or threat intel context? Sign in or create an account to join the community discussion.
Actions
Updates to AI analysis require Pro Console access. Upgrade inside Console → Billing.
External Links
Need more coverage?
Upgrade to Pro Console for AI refresh and higher limits.
For incident response and remediation, OffSeq services can help resolve threats faster.
Latest Threats
Check if your credentials are on the dark web
Instant breach scanning across billions of leaked records. Free tier available.