CVE-2026-35400: CWE-59: Improper Link Resolution Before File Access ('Link Following') in aces Loris
LORIS (Longitudinal Online Research and Imaging System) is a self-hosted web application that provides data- and project-management for neuroimaging research. From 20.0.0 to before 27.0.3 and 28.0.1, an endpoint in the publication module was incorrectly trusting the baseURL submitted by a user's POST request rather than the internal LORIS value. This could result in a theoretical attacker with publication module access forging an email to an external domain under the attacker's control which appeared to come from LORIS. This vulnerability is fixed in 27.0.3 and 28.0.1.
AI Analysis
Technical Summary
The LORIS application improperly trusts the baseURL submitted by a user's POST request in the publication module, rather than using the internal LORIS value. This flaw allows a user with access to the publication module to forge emails to external domains that appear to originate from LORIS. The vulnerability affects versions from 20.0.0 up to but not including 27.0.3, and from 28.0.0 up to but not including 28.0.1. The issue is addressed in versions 27.0.3 and 28.0.1. The CVSS 3.1 base score is 3.5, indicating low severity, with network attack vector, low attack complexity, requiring low privileges and user interaction, and impacts limited to integrity only.
Potential Impact
The vulnerability allows an attacker with publication module access to send forged emails that appear to come from the LORIS system to external domains. There is no impact on confidentiality or availability. The integrity impact is low, as the attacker can only manipulate the sender address in emails. No known exploits are reported in the wild.
Mitigation Recommendations
A fix is available in LORIS versions 27.0.3 and 28.0.1. Users should upgrade to these or later versions to remediate the vulnerability. Since this is a self-hosted application, administrators must apply the update manually. Patch status is confirmed by the vendor's versioning information. No additional mitigation steps are specified.
CVE-2026-35400: CWE-59: Improper Link Resolution Before File Access ('Link Following') in aces Loris
Description
LORIS (Longitudinal Online Research and Imaging System) is a self-hosted web application that provides data- and project-management for neuroimaging research. From 20.0.0 to before 27.0.3 and 28.0.1, an endpoint in the publication module was incorrectly trusting the baseURL submitted by a user's POST request rather than the internal LORIS value. This could result in a theoretical attacker with publication module access forging an email to an external domain under the attacker's control which appeared to come from LORIS. This vulnerability is fixed in 27.0.3 and 28.0.1.
AI-Powered Analysis
Machine-generated threat intelligence
Technical Analysis
The LORIS application improperly trusts the baseURL submitted by a user's POST request in the publication module, rather than using the internal LORIS value. This flaw allows a user with access to the publication module to forge emails to external domains that appear to originate from LORIS. The vulnerability affects versions from 20.0.0 up to but not including 27.0.3, and from 28.0.0 up to but not including 28.0.1. The issue is addressed in versions 27.0.3 and 28.0.1. The CVSS 3.1 base score is 3.5, indicating low severity, with network attack vector, low attack complexity, requiring low privileges and user interaction, and impacts limited to integrity only.
Potential Impact
The vulnerability allows an attacker with publication module access to send forged emails that appear to come from the LORIS system to external domains. There is no impact on confidentiality or availability. The integrity impact is low, as the attacker can only manipulate the sender address in emails. No known exploits are reported in the wild.
Mitigation Recommendations
A fix is available in LORIS versions 27.0.3 and 28.0.1. Users should upgrade to these or later versions to remediate the vulnerability. Since this is a self-hosted application, administrators must apply the update manually. Patch status is confirmed by the vendor's versioning information. No additional mitigation steps are specified.
Technical Details
- Data Version
- 5.2
- Assigner Short Name
- GitHub_M
- Date Reserved
- 2026-04-02T17:03:42.074Z
- Cvss Version
- 3.1
- State
- PUBLISHED
- Remediation Level
- null
Threat ID: 69d6b51c1cc7ad14daaa5cfe
Added to database: 4/8/2026, 8:05:48 PM
Last enriched: 4/8/2026, 8:20:47 PM
Last updated: 4/9/2026, 8:16:05 AM
Views: 9
Community Reviews
0 reviewsCrowdsource mitigation strategies, share intel context, and vote on the most helpful responses. Sign in to add your voice and help keep defenders ahead.
Want to contribute mitigation steps or threat intel context? Sign in or create an account to join the community discussion.
Actions
Updates to AI analysis require Pro Console access. Upgrade inside Console → Billing.
External Links
Need more coverage?
Upgrade to Pro Console for AI refresh and higher limits.
For incident response and remediation, OffSeq services can help resolve threats faster.
Latest Threats
Check if your credentials are on the dark web
Instant breach scanning across billions of leaked records. Free tier available.